An "event ID 516" audit record may be incorrectly logged when an access attempt to a named pipe occurs in Windows Server 2003 or in Windows XP (922769)
The information in this article applies to:
- Microsoft Windows Server 2003, 64-Bit Enterprise Edition
- Microsoft Windows Server 2003 R2 Enterprise x64 Edition
- Microsoft Windows Server 2003 R2 Standard x64 Edition
- Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
- Microsoft Windows Server 2003, Enterprise x64 Edition
- Microsoft Windows Server 2003, Standard x64 Edition
- Microsoft Windows XP Professional 64-Bit Edition (Itanium)
- Microsoft Windows XP Professional x64 Edition
SYMPTOMSThe following audit record may be incorrectly logged in the local Security log in Microsoft Windows Server 2003 or in Microsoft Windows XP: EventID 516
Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
Number of audit messages discarded: 1
This symptom may occur when the following conditions are true: - The "Audit object Access" policy is enabled.
- An access attempt to a named pipe occurs. This named pipe has a system access control list (SACL) in its security descriptor.
- Windows makes an access control determination for this access attempt.
Instead of event ID 516, you expect the following "object open" audit record (event ID 560) to be logged. Event ID 560 indicates success or failure. Whether a success or a failure is logged depends on the outcome of the access control determination. EventID 560
Object Open:
Object Server: Security
Object Type: NamedPipe
Object Name: \AuditTest
Handle ID: 1884
Operation ID: {0,223884}
Process ID: 1384
Image File Name: C:\NamedPipeAudit.exe
Primary User Name: Administrator
Primary Domain: W03SA
Primary Logon ID: (0x0,0x880B)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
ReadEA
WriteEA
ReadAttributes
WriteAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x12019F
RESOLUTIONHotfix informationPrerequisitesTo apply this hotfix, you must be running a version of one of the following operating systems: - Windows Server 2003 x64 with Service Pack 1 (SP1)
- Windows Server 2003 IA-64 with Service Pack 1 (SP1)
- Windows XP x64
- Windows XP IA-64
Restart requirementYou must restart your computer after you apply this hotfix. Hotfix replacement informationThis hotfix does not replace any other hotfixes. File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel. Windows Server 2003 and Windows XP IA-64 versions|
| Npfs.sys | 5.2.3790.2750 | 103,424 | 19-Jul-2006 | 13:32 | IA-64 |
Windows Server 2003 and Windows XP x64 versions|
| Npfs.sys | 5.2.3790.2750 | 56,832 | 19-Jul-2006 | 13:32 | x64 |
STATUSMicrosoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
| Modification Type: | Minor | Last Reviewed: | 8/8/2006 |
|---|
| Keywords: | kbWinServ2003preSP2fix kbBug kbfix kbQFE kbhotfixserver kbpubtypekc KB922769 kbAudITPRO |
|---|
|