Event-o-Pedia EventID 5145 - A network share object was checked to see whether client can be granted desired access.

	Event Details
	Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Detailed File Share->EventID 5145 - A network share object was checked to see whether client can be granted desired access.

EventID 5145 - A network share object was checked to see whether client can be granted desired access.

High volume on a file server or domain controller because of SYSVOL network access required by Group Policy

Note:
If Audit Detailed File Share policy setting is configured, the following event is generated. The event appears on computers running Windows Server 2008 R2 or Windows 7.

Find more information about this event on ultimatewindowssecurity.com.

Sample:

A network share object was checked to see whether client can be granted desired access.
	
Subject:
	Security ID:		NT AUTHORITY\SYSTEM
	Account Name:		IIZHU6$
	Account Domain:		ITSS
	Logon ID:		0x3a4a7dff

Network Information:	
	Object Type:		File
	Source Address:		fe80::30da:ce49:ec87:9583
	Source Port:		59095
	
Share Information:
	Share Name:		\\*\SYSVOL
	Share Path:		\??\C:\Windows\SYSVOL\sysvol
	Relative Target Name:	ITSS.WM.ZHU.CN.QSFT\POLICIES\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\Audit\audit.csv

Access Request Information:
	Access Mask:		0x120089
	Accesses:		READ_CONTROL

				SYNCHRONIZE

				ReadData (or ListDirectory)

				ReadEA

				ReadAttributes

				
Access Check Results:
	READ_CONTROL
:	Granted by Ownership

				SYNCHRONIZE
:	Granted by
	D:(A;;0x1200a9;;;WD)
				ReadData (or ListDirectory)
:	Granted by
	D:(A;;0x1200a9;;;WD)
				ReadEA
:	Granted by
	D:(A;;0x1200a9;;;WD)
				ReadAttributes
:	Granted by
	D:(A;;0x1200a9;;;WD)
===========================
Description template stored in adtschema.dll:
===========================
A network share object was checked to see whether client can be granted desired access.
	
Subject:
	Security ID:		%1
	Account Name:		%2
	Account Domain:		%3
	Logon ID:		%4

Network Information:	
	Object Type:		%5
	Source Address:		%6
	Source Port:		%7
	
Share Information:
	Share Name:		%8
	Share Path:		%9
	Relative Target Name:	%10

Access Request Information:
	Access Mask:		%11
	Accesses:		%12
Access Check Results:
	%13

Log Type:

Windows Event Log

Uniquely Identified By:

Log Name:

Security

Filtering Field	Equals to Value
OSVersion	Windows Vista (2008) Windows 7 (2008 R2) Windows 8 (2012) Windows 8.1 (2012 R2) Windows 10 (2016)
Category	Object Access
Source	Microsoft-Windows-Security-Auditing
TaskCategory	Detailed File Share
EventId	5145

Field Matching

Field	Description	Stored in	Sample Value
DateTime	Date/Time of event origination in GMT format.	DateTime	10.10.2000 19:00:00
Source	Name of an Application or System Service originating the event.	Source	Security
Type	Warning, Information, Error, Success, Failure, etc.	Type	Success
User	Domain\Account name of user/service/computer initiating event.	User	RESEARCH\Alebovsky
Computer	Name of server workstation where event was logged.	Computer	DC1
EventID	Numerical ID of event. Unique within one Event Source.	EventId	576
Description	The entire unparsed event message.	Description	Special privileges assigned to new logon.
Log Name	The name of the event log (e.g. Application, Security, System, etc.)	LogName	Security
Task Category	A name for a subclass of events within the same Event Source.	TaskCategory
Level	Warning, Information, Error, etc.	Level
Keywords	Audit Success, Audit Failure, Classic, Connection etc.	Keywords
Category	A name for an aggergative event class, corresponding to the similar ones present in Windows 2003 version.	Category	Account Logon
Object Name		InsertionString10
Whom		InsertionString10
Object Type		InsertionString5
Class Name		InsertionString5
Security ID		-
Account Name		-
Account Domain		-
Subject: Account Name		InsertionString2	IIZHU6$
Subject: Account Domain		InsertionString3	ITSS
Subject: Logon ID		InsertionString4	0x3a4a7dff
Network Information: Object Type		InsertionString5	File
Network Information: Source Address		InsertionString6	fe80::30da:ce49:ec87:9583
Network Information: Source Port		InsertionString7	59095
Share Information: Share Name		InsertionString8	\\*\SYSVOL
Share Information: Share Path		InsertionString9	\??\C:\Windows\SYSVOL\sysvol
Share Information: Relative Target Name		InsertionString10	ITSS.WM.ZHU.CN.QSFT\POLICIES\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\Audit\audit.csv
Access Request Information: Access Mask		InsertionString11	0x120089
Access Request Information: Accesses		InsertionString12	READ_CONTROL
Subject: Security ID		InsertionString1	NT AUTHORITY\SYSTEM
Access Check Results		InsertionString13	READ_CONTROL