Home / server / Questions / 442367
Accepted
Nathan Hartley
Asked: 2012-10-26 08:05:16 +0800 CST

What would cause so many EventID 4656 PlugPlayManager Security Audit Failures at one time?

  • 772

I found 141 PlugPlayManager Security Audit Failures logged within the same minute on one of our Server 2008 R2 servers (running only SQL 2008 R2). While Googling all I could find was other people, asking the same question and never receiving an answer. But then, they didn't ask their question at ServerFault....

What would cause so many EventID 4656 PlugPlayManager Security Audit Failures at one time?

Example

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
        <EventID>4656</EventID> 
        <Version>1</Version> 
        <Level>0</Level> 
        <Task>12804</Task> 
        <Opcode>0</Opcode> 
        <Keywords>0x8010000000000000</Keywords> 
        <TimeCreated SystemTime="2012-10-25T15:16:38.739237000Z" /> 
        <EventRecordID>98756968</EventRecordID> 
        <Correlation /> 
        <Execution ProcessID="544" ThreadID="552" /> 
        <Channel>Security</Channel> 
        <Computer>MyComputer.example.com/Computer> 
        <Security /> 
    </System>
    <EventData>
        <Data Name="SubjectUserSid">S-1-5-21-##########-##########-#########-####</Data> 
        <Data Name="SubjectUserName">MyUser</Data> 
        <Data Name="SubjectDomainName">example.com</Data> 
        <Data Name="SubjectLogonId">0x#######</Data> 
        <Data Name="ObjectServer">PlugPlayManager</Data> 
        <Data Name="ObjectType">Security</Data> 
        <Data Name="ObjectName">PlugPlaySecurityObject</Data> 
        <Data Name="HandleId">0x0</Data> 
        <Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data> 
        <Data Name="AccessList">%%1553</Data> 
        <Data Name="AccessReason">-</Data> 
        <Data Name="AccessMask">0x2</Data> 
        <Data Name="PrivilegeList">-</Data> 
        <Data Name="RestrictedSidCount">0</Data> 
        <Data Name="ProcessId">0x28c</Data> 
        <Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data> 
    </EventData>
</Event>

If it helps any, process# 544 was lsass.exe and thread# 552 showed a start address of "ntdll.dll!RtUserThreadStart" in Process Explorer.

windows

2 Answers

  1. Currently, under Server 2012 R2 events 4656 will generate even if Handle Manipulation category is disabled. In our case, we have enabled Audit File System category which was only generating 4660-4663 events on previous Server versions (2008-2008R2-2012) but on Server 2012 R2 this initiates overwhelming flow of 4656 events. The issue has been reported to Microsoft however there is no resolution yet.

    • 3
  2. Best Answer

    You can refer this blog http://morgantechspace.blogspot.in/2013/08/event-id-4656-repeated-security-event.html

    Possible Solution:

    Event 4656 should occur if the Success or Failure audit was enabled for Handle Manipulation using command line tool Auditpol.

    Subcategory: Handle Manipulation

    You will get following three Event IDs if Handle Manipulation enabled

    • 4656 A handle to an object was requested.
    • 4658 The handle to an object was closed.
    • 4690 An attempt was made to duplicate a handle to an object.

    If you would like to get rid of these Object Access event 4656 then you need to run the following command:

    Auditpol /set /subcategory:"Handle Manipulation" /Failure:disable
    • 2