I have been asked to create audit record of file accesses. By the log is simply overwhelming. A single double click of a text file opening in notepad creates more than 10 log entries with Event Id 4663. I see a READ_CONTROL access many times. What is this and which access permission generates this?
I want to trim down the data collection and log only those that reflect an actual opening of a file to read or write.
This is on a Windows Server 2008.
Best Answer
An easier way to do this is to filter for Event IDs 4656 (Opening of a file) and 4658 (Closing of a file) along with 4663; this way you can see who opened/closed the file and the corresponding READ_CONTROL that gets logged along with those events when access permissions are actually used.
Here's a great reference: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4663
Let me know if that doesn't work for you or if I'm not addressing your concern and I can be more specific.