Event-o-Pedia EventID 560 - Object Open [Win 2000]

	Event Details
	Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Object Access->EventID 560 - Object Open [Win 2000]

EventID 560 - Object Open [Win 2000]

Indicates that an attempt was made to access a Windows object (file, folder, registry key, printer or service). Success or failure is indicated in the message. If access was successful, the listed accesses were requested and granted. If access failed, the listed accesses were requested but not granted.

Note:
This message corresponds to a Security 567 message, which indicates that an object was accessed, and to a Security 562 message , which indicates that the handle of the object was successfully closed. Associated messages have the same Handle ID number.
EventID 560 tracks access only to Windows objects such as files, folders, registry keys, printers and services. If you need to track access to Active Directory objects such as users, groups, organizational units, group policy objects, domains, sites, etc, look for EventID 565 and 566 in the Directory Service Access category.

Find more information about this event on ultimatewindowssecurity.com.

Corresponding events on other OS versions:

Windows XP

EventID 560 - Object Open [Win XP]

Windows 2003

EventID 560 - Object Open [Win 2003]

Windows 2008

EventID 4656 - A handle to an object was requested

Related events:

Look for the following events with the same Handle ID:

EventID 562 - Handle Closed [Win 2000] (this event indicates that the accessed object was closed)
EventID 567 - Object Access Attempt [Win 2003] (this event indicates that the object open was actually accessed, this become available only starting with Windows XP/2003)

Sample:

        Event Type:	Success Audit
        Event Source:	Security
        Event Category:	Object Access
        Event ID:	560
        Date:		4/17/2009
        Time:		9:21:27 AM
        User:		NT AUTHORITY\SYSTEM
        Computer:	DCCC1
        Description:
        Object Open:
        Object Server:	Security Account Manager
        Object Type:	SAM_SERVER
        Object Name:	SAM
        New Handle ID:	856224
        Operation ID:	{0,532713543}
        Process ID:	280
        Primary User Name:	DCCC1$
        Primary Domain:	LOGISTICS
        Primary Logon ID:	(0x0,0x3E7)
        Client User Name:	DCCC1$
        Client Domain:	LOGISTICS
        Client Logon ID:	(0x0,0x3E7)
        Accesses:	DELETE 
		READ_CONTROL 
		WRITE_DAC 
		WRITE_OWNER 
		ConnectToServer 
		ShutdownServer 
		InitializeServer 
		CreateDomain 
		EnumerateDomains 
		LookupDomain        
        Privileges:	-

Log Type:

Windows Event Log

Uniquely Identified By:

Log Name:

Security

Filtering Field	Equals to Value
OSVersion	Windows 2000
Category	Object Access
Source	Security
EventId	560

Field Matching

Field	Description	Stored in	Sample Value
DateTime	Date/Time of event origination in GMT format.	DateTime	10.10.2000 19:00:00
Source	Name of an Application or System Service originating the event.	Source	Security
Type	Warning, Information, Error, Success, Failure, etc.	Type	Success
User	Domain\Account name of user/service/computer initiating event.	User	RESEARCH\Alebovsky
Computer	Name of server workstation where event was logged.	Computer	DC1
EventID	Numerical ID of event. Unique within one Event Source.	EventId	576
Description	The entire unparsed event message.	Description	Special privileges assigned to new logon.
Log Name	The name of the event log (e.g. Application, Security, System, etc.)	LogName	Security
Category	A name for a subclass of events within the same Event Source.	Category	Logon/Logoff
Process ID	ID of the process (program) making the access request	InsertionString7	380
Object Server	The name of the service handling the access request	InsertionString1	Security Account Manager
Object Type	The type of object accessed (file, folder, registry key, printer, service)	InsertionString2	SAM_SERVER
Object Name	Name of the object (e.g. for the file accessed - full system path)	InsertionString3	SAM
New Handle ID	ID of the object handle granted to the process accessing it	InsertionString4	856224
Operation ID	ID of the operation performed on the object	Expression	{0,532713543}
Primary User Name	For local access identifies the user accessing the object, for remote access identifies the server program used to open the object	InsertionString8	DCCC1$
Primary Domain	Domain of the Primary User Name	InsertionString9	LOGISTICS
Primary Logon ID	ID of the logon session of the Primary User Name account	InsertionString10	(0x0,0x3E7)
Client User Name	For local access this field is empty, for remote access identifies the user accessing the object.	InsertionString11	DCCC1$
Client Domain	Domain of the Client User Name	InsertionString12	LOGISTICS
Client Logon ID	ID of the logon session of the Client User Name account	InsertionString13	(0x0,0x3E7)
Accesses	Identifies the permissions requested by user/program to the object.	InsertionString14	DELETE
Privileges	The list of privileges held by user during object access	InsertionString15	-