ITsVISTA KB-Link: KB940526

November 8th, 2007 · Leave a Comment · 238 views
Tags: Audit, Delete, Event, inSP1

Audit event ID 560 incorrectly displays the name of a deleted file in an 8.3 file name format if you delete the file at a command prompt in Windows Server 2003, in Windows XP, or in Windows Vista

Consider the following scenario:

You configure the system to audit object access in Windows Server 2003, in Windows XP, or in Windows Vista.
At a command prompt, you delete a file that has a long file name.

In this scenario, the Object Name field in audit event ID 560 incorrectly displays the name of the deleted file in an 8.3 file name format.

For example, audit event ID 560 may resemble the following:

Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: Date
Time: Time
User: UserName
Computer: ComputerName
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: Drive:\Path\Sample~1.EXE
New Handle ID: 92
Operation ID: {0,16979818}
Process ID: 1960
Primary User Name: UserName
Primary Domain: DomanName
Primary Logon ID: (0x0,0x19116)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses DELETE
ReadAttributes
Privileges â€“

When you delete a file that has a long file name in Windows Explorer, the Object Name field in audit event ID 560 displays the complete file name as expected.

There is a download that resolves this issue. See Hotfixes for details.

32-bit Download: Windows6.0-KB940526-x86.msu

64-Bit Download: Windows6.0-KB940526-x64.msu

This issue is resolved in SP1.

For more information on this issue, including potential causes, workarounds, and resolutions, see: Microsoft KB Article KB940526.