Microsoft
Software
Hardware
Network
Question : Deleted File? user or system?
I am trying to find out what happened to a directory that has dissappeared from our network. When I checked the security log I see these events. To me it appears that this user viewed the directory and then deleted it and then moved on to another directory. The only thing that puzzles me is that it all happened within a second. Here are the logs events in question.
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 7/13/2010
Time: 4:46:15 PM
User: HOMER\dsmith
Computer: SERVER
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: F:\Data1\Department Folders\Accounting\Job Cost\2010\Report.rpt
New Handle ID: 2672
Operation ID: {2,1928869786}
Process ID: 8
Primary User Name: SERVER$
Primary Domain: HOMER
Primary Logon ID: (0x0,0x3E7)
Client User Name: dsmith
Client Domain: HOMER
Client Logon ID: (0x2,0x72F51B5B)
Accesses READ_CONTROL
ReadData (or ListDirectory)
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
ReadEA
WriteEA
ReadAttributes
WriteAttributes
Privileges -
--------------------------
----------
----------
----------
----------
----------
----------
----------
----------
----------
------
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 7/13/2010
Time: 4:46:41 PM
User: HOMER\dsmith
Computer: SERVER
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: F:\Data1\Department Folders\work
New Handle ID: 2380
Operation ID: {2,1928870967}
Process ID: 8
Primary User Name: SERVER$
Primary Domain: HOMER
Primary Logon ID: (0x0,0x3E7)
Client User Name: dsmith
Client Domain: HOMER
Client Logon ID: (0x2,0x72F51B5B)
Accesses DELETE
SYNCHRONIZE
ReadAttributes
Privileges -
--------------------------
----------
----------
----------
----------
----------
----------
----------
----------
---------
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 7/13/2010
Time: 4:46:41 PM
User: HOMER\dsmith
Computer: SERVER
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: F:\Data1\Department Folders\work
New Handle ID: 2380
Operation ID: {2,1928870980}
Process ID: 8
Primary User Name: SERVER$
Primary Domain: HOMER
Primary Logon ID: (0x0,0x3E7)
Client User Name: DSmith
Client Domain: HOMER
Client Logon ID: (0x2,0x72F51B5B)
Accesses DELETE
SYNCHRONIZE
Privileges -
--------------------------
----------
----------
----------
----------
----------
----------
----------
----------
----------
----
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 7/13/2010
Time: 4:46:41 PM
User: HOMER\dsmith
Computer: SERVER
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: F:\Data1\Department Folders\Common
New Handle ID: 2147492020
Operation ID: {2,1928870981}
Process ID: 8
Primary User Name: SERVER$
Primary Domain: HOMER
Primary Logon ID: (0x0,0x3E7)
Client User Name: dsmith
Client Domain: HOMER
Client Logon ID: (0x2,0x72F51B5B)
Accesses SYNCHRONIZE
AppendData (or AddSubdirectory or CreatePipeInstance)
Privileges SeBackupPrivilege
SeRestorePrivilege
Answer : Deleted File? user or system?
The company providing the co-location is your hosting ISP. Ask them if they do anything to prevent IP address spoofing [of your assigned addresses].
Random Solutions
How can Broadband access be split between 2 ISPs?
Manageing Multiple Time Zones in GoldMine CRM
admin rights to IIS for a User
Get the values of a cell in a selected row of a RadGrid on client Side
When closing Excel several computers are getting an error
port 443 closed
DOS Batch script to Copy/Delete Files with Date in File Name
AJAX, JQUERY, server date timestamp
Cisco ASA 5510 interface config
how can I read more then one cell an excel file in vb.net
