This article describes the following two Object Access auditing subcategory for success and/or failure events found under Security Settings\Advanced Audit Policy Configuration.
- Audit File System
- Audit Handle Manipulation
Audit File SystemThis security policy setting determines whether the operating system audits user attempts to access file system objects. Audit events are only generated for objects that have configured system access control lists (SACLs), and only if the type of access requested (such as Write, Read, or Modify) and the account making the request match the settings in the SACL.
Right click on the Audit File System and select Properties. Click on Explain tab. The text reads:
If you configure this policy setting, an audit event is generated each time an account accesses a file system object with a matching SACL. Success audits record successful attempts and Failure audits record unsuccessful attempts.
The above statement taken alone is not accurate.
To help explain, let's consider a scenario on what happens when a user double clicks a text file in Windows Explorer.
- Notepad.exe performs an OpenFile with desired access flags.
- If successful, the OpenFile returns a handle to the text file to Notepad.exe.
- Notepad.exe performs on that handle to read the contents of the text file and displays them to the user.
Audit Handle ManipulationThis security policy setting determines whether the operating system generates audit events when a handle to an object is opened or closed. Only objects with configured system access control lists (SACLs) generate these events, and only if the attempted handle operation matches the SACL.
Note: Events in this subcategory generate events only for object types where the corresponding Object Access subcategory is enabled. For example, if File system object access is enabled, handle manipulation security audit events are generated. If Registry object access is not enabled, handle manipulation security audit events will not be generated.