D
DGHort
So I am having an issue finding out what is trying to do this. I have check scheduled tasks, services, and applications that could possibly be doing this, but I don't know exactly what I am looking for. There is a pattern in that this event is triggered every minute on second 21. Any ideas of where I can figure this out? Thanks in advance.
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 6/7/2019 08:06:21
Event ID: 4656
Task Category: Other Object Access Events
Level: Information
Keywords: Audit Failure
User: N/A
Computer: computername.company.domain
Description:
A handle to an object was requested.
Subject:
Security ID: SYSTEM
Account Name: COMPUTERNAME$
Account Domain: DOMAIN
Logon ID: 0x3E7
Object:
Object Server: SC Manager
Object Type: SERVICE OBJECT
Object Name: msiserver
Handle ID: 0x0
Resource Attributes: -
Process Information:
Process ID: 0x2ac
Process Name: C:\Windows\System32\services.exe
Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
Query service configuration information
Set service configuration information
Query status of service
Enumerate dependencies of service
Start the service
Stop the service
Pause or continue the service
Query information from service
Issue service-specific control commands
Access Reasons: -
Access Mask: 0xF01FF
Privileges Used for Access Check: -
Restricted SID Count: 0
Continue reading...
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 6/7/2019 08:06:21
Event ID: 4656
Task Category: Other Object Access Events
Level: Information
Keywords: Audit Failure
User: N/A
Computer: computername.company.domain
Description:
A handle to an object was requested.
Subject:
Security ID: SYSTEM
Account Name: COMPUTERNAME$
Account Domain: DOMAIN
Logon ID: 0x3E7
Object:
Object Server: SC Manager
Object Type: SERVICE OBJECT
Object Name: msiserver
Handle ID: 0x0
Resource Attributes: -
Process Information:
Process ID: 0x2ac
Process Name: C:\Windows\System32\services.exe
Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
Query service configuration information
Set service configuration information
Query status of service
Enumerate dependencies of service
Start the service
Stop the service
Pause or continue the service
Query information from service
Issue service-specific control commands
Access Reasons: -
Access Mask: 0xF01FF
Privileges Used for Access Check: -
Restricted SID Count: 0
Continue reading...