Event-o-Pedia EventID 560 - Object Open [Win XP]

	Event Details
	Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Object Access->EventID 560 - Object Open [Win XP]

EventID 560 - Object Open [Win XP]

Indicates that an attempt was made to access a Windows object (file, folder, registry key, printer or service). Success or failure is indicated in the message. If access was successful, the listed accesses were requested and granted. If access failed, the listed accesses were requested but not granted.

Note:
This message corresponds to a Security 567 message, which indicates that an object was accessed, and to a Security 562 message , which indicates that the handle of the object was successfully closed. Associated messages have the same Handle ID number.
EventID 560 tracks access only to Windows objects such as files, folders, registry keys, printers and services. If you need to track access to Active Directory objects such as users, groups, organizational units, group policy objects, domains, sites, etc, look for EventID 565and 566 in the Directory Service Access category.

Find more information about this event on ultimatewindowssecurity.com.

Corresponding events on other OS versions:

Windows 2000

EventID 560 - Object Open [Win 2000]

Windows 2003

EventID 560 - Object Open [Win 2003]

Windows 2008

EventID 4656 - A handle to an object was requested

Related events:

Look for the following events with the same Handle ID:

EventID 562 - Handle Closed [Win 2003] (this event indicates that the accessed object was closed)
EventID 567 - Object Access Attempt [Win 2003] (this event indicates that the object open was actually accessed)

Sample:

        Event Type:     Success Audit
        Event Source:   Security
        Event Category: Object Access
        Event ID:       560
        Date:           10/26/2009
        Time:           07:41:23
        User:           NT AUTHORITY\SYSTEM
        Computer:       DC1
        Description:
        Object Open:
        Object Server:	Security
        Object Type:	File
        Object Name:	C:\WINDOWS\Tasks\At1.job
        Handle ID:	2428
        Operation ID:	{0,6451050}
        Process ID:	880
        Image File Name:	C:\WINDOWS\system32\svchost.exe
        Primary User Name:	DC1$
        Primary Domain:	RESEARCH
        Primary Logon ID:	(0x0,0x3E7)
        Client User Name:	-
        Client Domain:	-
        Client Logon ID:	-
        Accesses:	%READ_CONTROL
        %SYNCHRONIZE
        %WriteData (or AddFile)
        %AppendData (or AddSubdirectory or CreatePipeInstance)
        %WriteEA
        %ReadAttributes
        %WriteAttributes

        Privileges:	-
        Restricted Sid Count:	0

Log Type:

Windows Event Log

Uniquely Identified By:

Log Name:

Security

Filtering Field	Equals to Value
OSVersion	Windows XP
Category	Object Access
Source	Security
EventId	560

Field Matching

Field	Description	Stored in	Sample Value
DateTime	Date/Time of event origination in GMT format.	DateTime	10.10.2000 19:00:00
Source	Name of an Application or System Service originating the event.	Source	Security
Type	Warning, Information, Error, Success, Failure, etc.	Type	Success
User	Domain\Account name of user/service/computer initiating event.	User	RESEARCH\Alebovsky
Computer	Name of server workstation where event was logged.	Computer	DC1
EventID	Numerical ID of event. Unique within one Event Source.	EventId	576
Description	The entire unparsed event message.	Description	Special privileges assigned to new logon.
Log Name	The name of the event log (e.g. Application, Security, System, etc.)	LogName	Security
Category	A name for a subclass of events within the same Event Source.	Category	Logon/Logoff
Process ID	ID of the process (program) making the access request	InsertionString7	380
Object Server	The name of the service handling the access request	InsertionString1	Security
Object Type	The type of object accessed (file, folder, registry key, printer, service)	InsertionString2	File
Object Name	Name of the object (e.g. for the file accessed - full system path)	InsertionString3	C:\WINDOWS\Tasks\At1.job
Handle ID	ID of the object handle granted to the process accessing it	InsertionString4	2428
Operation ID	ID of the operation performed on the object	Expression	{0,654658}
Image File Name	Full path and name of the program making the access request	InsertionString8	C:\WINDOWS\system32\svchost.exe
Primary User Name	For local access identifies the user accessing the object, for remote access identifies the server program used to open the object	InsertionString9	DC1$
Primary Domain	Domain of the Primary User Name	InsertionString10	RESEARCH
Primary Logon ID	ID of the logon session of the Primary User Name account	InsertionString11	(0x0,0x3E7)
Client User Name	For local access this field is empty, for remote access identifies the user accessing the object.	InsertionString12	-
Client Domain	Domain of the Client User Name	InsertionString13	-
Client Logon ID	ID of the logon session of the Client User Name account	InsertionString14	-
Accesses	Identifies the permissions requested by user/program to the object.	InsertionString15	%READ_CONTROL
Privileges	The list of privileges held by user during object access	InsertionString16	-
Restricted SID Count	The purpose of this field is unknown	InsertionString17