Microsoft
Software
Hardware
Network
Question : Deleted File? user or system?
I am trying to find out what happened to a directory that has dissappeared from our network. When I checked the security log I see these events. To me it appears that this user viewed the directory and then deleted it and then moved on to another directory. The only thing that puzzles me is that it all happened within a second. Here are the logs events in question.
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 7/13/2010
Time: 4:46:15 PM
User: HOMER\dsmith
Computer: SERVER
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: F:\Data1\Department Folders\Accounting\Job Cost\2010\Report.rpt
New Handle ID: 2672
Operation ID: {2,1928869786}
Process ID: 8
Primary User Name: SERVER$
Primary Domain: HOMER
Primary Logon ID: (0x0,0x3E7)
Client User Name: dsmith
Client Domain: HOMER
Client Logon ID: (0x2,0x72F51B5B)
Accesses READ_CONTROL
ReadData (or ListDirectory)
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
ReadEA
WriteEA
ReadAttributes
WriteAttributes
Privileges -
--------------------------
----------
----------
----------
----------
----------
----------
----------
----------
----------
------
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 7/13/2010
Time: 4:46:41 PM
User: HOMER\dsmith
Computer: SERVER
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: F:\Data1\Department Folders\work
New Handle ID: 2380
Operation ID: {2,1928870967}
Process ID: 8
Primary User Name: SERVER$
Primary Domain: HOMER
Primary Logon ID: (0x0,0x3E7)
Client User Name: dsmith
Client Domain: HOMER
Client Logon ID: (0x2,0x72F51B5B)
Accesses DELETE
SYNCHRONIZE
ReadAttributes
Privileges -
--------------------------
----------
----------
----------
----------
----------
----------
----------
----------
---------
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 7/13/2010
Time: 4:46:41 PM
User: HOMER\dsmith
Computer: SERVER
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: F:\Data1\Department Folders\work
New Handle ID: 2380
Operation ID: {2,1928870980}
Process ID: 8
Primary User Name: SERVER$
Primary Domain: HOMER
Primary Logon ID: (0x0,0x3E7)
Client User Name: DSmith
Client Domain: HOMER
Client Logon ID: (0x2,0x72F51B5B)
Accesses DELETE
SYNCHRONIZE
Privileges -
--------------------------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 7/13/2010
Time: 4:46:41 PM
User: HOMER\dsmith
Computer: SERVER
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: F:\Data1\Department Folders\Common
New Handle ID: 2147492020
Operation ID: {2,1928870981}
Process ID: 8
Primary User Name: SERVER$
Primary Domain: HOMER
Primary Logon ID: (0x0,0x3E7)
Client User Name: dsmith
Client Domain: HOMER
Client Logon ID: (0x2,0x72F51B5B)
Accesses SYNCHRONIZE
AppendData (or AddSubdirectory or CreatePipeInstance)
Privileges SeBackupPrivilege
SeRestorePrivilege
Answer : Deleted File? user or system?
The company providing the co-location is your hosting ISP. Ask them if they do anything to prevent IP address spoofing [of your assigned addresses].
Random Solutions
Converting latitude and longitude to cartesian coordinates on a conic map
Router Sessions
Changing Domain Controllers + DNS - How to get new clients to accept new DNS server
Couple of Apple questions
Network Range of IPs and what is available.
Cable Type/Pinout for RJ45 to RJ45 T1/E1 between two routers
Remove header from array created using Get-QADComputer cmdlet?
100% CPU usage in vCenter but not in taskmanager on the Windows NT 4.0 VM that has been converted
anyone familur ith using the swing classes HTMLEditorKit StyleSheet and reading a external CSS
Related Combobox Data Population
