Event Details
User Activity->Object Access->File System Object Access->Windows 2008->EventID 5145 - A network share object was checked to see whether client can be granted desired access.
EventID 5145 - A network share object was checked to see whether client can be granted desired access.
 Sample: 
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          6/17/2010 8:47:40 PM
Event ID:      5145
Task Category: Detailed File Share
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      KLSeven.kltest8.spb.qsft
Description:
A network share object was checked to see whether client can be granted desired access.
	
Subject:
	Security ID:		KLTEST8\administrator
	Account Name:		administrator
	Account Domain:		KLTEST8
	Logon ID:		0x261c88

Network Information:	
	Object Type:		File
	Source Address:		::1
	Source Port:		56032
	
Share Information:
	Share Name:		\\*\IPC$
	Share Path:		
	Relative Target Name:	lsarpc

Access Request Information:
	Access Mask:		0x12019f
	Accesses:		READ_CONTROL
				SYNCHRONIZE
				ReadData (or ListDirectory)
				WriteData (or AddFile)
				AppendData (or AddSubdirectory or CreatePipeInstance)
				ReadEA
				WriteEA
				ReadAttributes
				WriteAttributes
				
Access Check Results:
	-
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows Vista (2008)
Windows 7 (2008 R2)
Windows 8 (2012)
Windows 8.1 (2012 R2)
Windows 10 (2016)
Category Object Access
Source Microsoft-Windows-Security-Auditing
TaskCategory Detailed File Share
EventId 5145
Field Matching
FieldDescriptionStored inSample Value
When At what date and time a user activity originated in the system. DateTime 10.10.2000 19:00:00
Who Account or user name under which the activity occured. Subject: Account Name administrator
What The type of activity occurred (e.g. Logon, Password Changed, etc.) "File System Object Access" File System Object Access
Where The name of the workstation/server where the activity was logged. Computer DC1
Where From The name of the workstation/server where the activity was initiated from. Network Information: Source Address ::1
Severity Specify the seriousness of the event. - High
WhoDomain Subject: Account Domain KLTEST8
WhereDomain -
Result Successful or Failed -
Object Name Object Name lsarpc
Object Type Object Type File
Whom -
Comments
You must be logged in to comment