This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 39%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
On a server 2016 and 2019 machine, I'm getting flooded with Event ID 4663 logs when the following group policy is enabled: Computer Config -> Windows Settings -> Security Settings -> Advanced Audit Policy Config -> Object Access -> Audit File System.
The logs I want to stop are being created by various EXE's (CMD.exe, Conhost.exe, etc) in the Windows folder being accessed by the AV installed on the computer. I will post an example of the log below.
My question is, why are these logs being generated when I do not have auditing enabled for the c:\windows folder enabled? If I look at properties -> security tab -> advanced -> auditing for c:\windows, its blank, not configured. If I choose disable inheritance in audit settings for the Windows folder, it does not stop the logs.
If I disable the policy for Audit File System, or if I disable AV software on the computer, these logs stop. But neither of these are an acceptable solution.
Is it that the Windows folder is automatically audited? What am I missing here? I'm getting flooded with about 50 audit logs a minute for a folder I have not enabled auditing on.
Example:
An attempt was made to access an object.
Subject:
Security ID: SYSTEM
Account Name: MERCURY$
Account Domain: GSI
Logon ID: 0x3E7
Object:
Object Server: Security
Object Type: File
Object Name: C:\Windows\System32\wbem\WmiPrvSE.exe
Handle ID: 0x1f8c
Resource Attributes: S:AI
Process Information:
Process ID: 0xa2c
Process Name: C:\Program Files\Bitdefender\Endpoint Security\epsecurityservice.exe
Access Request Information:
Accesses: WriteAttributes
Access Mask: 0x100
Thanks.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 28.999999999999996%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVW%3C/text%3E%3C/svg%3E)
Hi,
What did you want to audit file or folder?
If yes, you could use the Auditing of Advanced Security Settings in file or folder properties.
For detailed information, please refer to the article below.
Apply or Modify Auditing Policy Settings for a Local File or Folder
https://technet.microsoft.com/en-us/library/cc771070(v=ws.11).aspx
In addition, the Event ID 4663 is generated by you enable the audit policy Audit Removable Storage.
Here is an article below about enable Audit Removable Storage for your reference.
Monitor the Use of Removable Storage Devices
https://technet.microsoft.com/en-us/library/jj574128(v=ws.11).aspx
Best Regards,
Vicky
The simplest explanation is usually the correct one.
I was looking at auditing at the directory level, not the file level. Auditing was enabled on some individual EXE files, but not setup at the directory level.
Thanks.