I have got an issue while working with File System Auditing where the event ID is being repeatedly logged on my server 2008 R2 machine. Since I was in need of analyzing every events by manually, I have really stuck with huge amount of 4656 events for the object PlugPlayManager. So that I have decided to analyze reason for generating these events.
See the event in this picture
Possible Solution: 1
Event 4656 should occur if the Success or Failure audit was enabled for Handle Manipulation using command line tool Auditpol.
Subcategory: Handle Manipulation
You will get following three Event IDs if Handle Manipulation enabled
4656 A handle to an object was requested.
4658 The handle to an object was closed.
4690 An attempt was made to duplicate a handle to an object.
If you would like to get rid of these Object Access event 4656 then you need to run the following command:
Auditpol /set /subcategory:”Handle Manipulation” /Success:disable
Possible Solution: 2
You can also check the Advanced Audit Policy Configuration in Local Security Policy.
medianet_width=’728′; medianet_height= ’20’; medianet_crid=’812152226′;
Related Articles:
– Event ID 5156 Filtering Platform Connection – Repeated security log
– Event ID 1000 -The remote procedure call failed in Sql Server Configuration manager
– Event 4624 null sid – Repeated security log
– Event ID 7036 service entered the stopped state – Service Control Manager
– Event ID 1059 – The DHCP service failed to see a directory server for authorization
Thanks,
Morgan
Software Developer
Isn't there a possible solution where you resolve whatever problem is causing those errors in the first place?