I am setting up file server auditing on a Server 2012r2 system for the first time and I had a question about reducing/eliminating the events produced from Windows folders that automatically have auditing defined on them.
Current Setup
I enabled file server auditing by setting Audit File System to Success under Computer Configuration | Policies | Windows Settings | Security Settings | Advanced Audit Configuration | Object Access.
Behavior
After enabling file system auditing, I noticed that the Security log started to log these 3 events periodically:
Event ID: 4656
Security ID: SYSTEM
Description: A handle to an object was requestedProcess Name: C:\Windows\CCM\CcmExec.exeObject Name: C:\Windows\servicing
Frequency: 3 events every 10 minutes
Event ID: 4656Security ID: SYSTEMDescription: A handle to an object was requestedProcess Name: C:\Windows\System32\rundll32.exeObject
Name: C:\Windows\WinSxS\FileMaps\<several subfolders>
Frequency: This event and the event below produces about 650 events within about 1 second about every day.
Event ID: 4663Security ID: SYSTEMDescription: An attempt was made to access an object
Process Name: C:\Windows\System32\rundll32.exe
Object Name: C:\Windows\WinSxS\FileMaps\<several subfolders>Frequency: This event and the event above produces about 650 events within about 1 second about every day.
Upon checking theC:\Windows\servicing and C:\Windows\WinSxS\FileMaps folders, I see that they have Auditing enabled by default.
Questions
- Has anyone attempted to remove auditing from the Windows foldersC:\Windows\servicing or C:\Windows\WinSxS\FileMaps?
- Is there a cleaner way to not log these default audit defined folders (the auditing I will be doing will be on a separate data volume on the server and not on the C drive)? Or is the general approach to allow the events to be logged and then use the filter option (or a log management tool) to ignore these entries?
Thanks!