Audit failures from explorer.exe

[Jan Bares]

Hi,

I audit failures on files from "Program Files" because I run as member of
"Users" group and I want to identify programs trying to write there, because
they are badly written. But my Event log is full of 560 Failure Events, that
are generated by explorer.exe as I browse through the folders.
Is there any way how can I remove explorer.exe from being audited? Otr any
other solution (besides using File Manager as mentioned in Q172509)

I know the reason why Explorer does this. When explorer checks for rights
for a folder, this results in a call to NtCreateFile. This call fails and
creates the audit log. There is a function that can return rights on folder,
but that function is slow, so Explorer uses this dirty way.

Thanks, Jan

 

[Steven L Umbach]

I have noticed the same thing and there is no way to selectively disable
auditing of explorer.exe. You might find that using Event Comb can help to
filter security log searches to find more specific information and events.
Event Comb allows you to search based on text strings and event ID's. ---
Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;308471 --- Event
Comb

 

[Jan Bares]

Thank Steven,

does Event Comb support to filter out (don't show them) events from specific
process ID? So I can filter out 560 events created by explorer?
The problem is, that events doesn't contain name of executable, only process
ID, so any filtering after explorer was restarted will not help.

Jan

 

[Steven L Umbach]

The best way to see if Event Comb suits your needs is to try it out as it is
free. You can specify specific events to search for and then enter a text
string to search for within those events. --- Steve