Wednesday, 20 November 2013

Event ID 4985 - The state of a transaction has changed

In this article, I am going to explain about the Event ID 4985, how to enable Event ID 4985 using Local Security Policy and Auditpol.exe, and how to disable or stop the Event 4985.

Summary:


Event ID 4985 Source:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          20/11/2013 11:11:01 AM
Event ID:      4985
Task Category: File System
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      myPC.myDomain.local
Description:
The state of a transaction has changed.

Subject:
 Security ID:  SYSTEM
 Account Name:  myPC$
 Account Domain:  myDomain
 Logon ID:  0x3e7

Transaction Information:
 RM Transaction ID: {32c25d18-4a8b-11e3-a6ca-00155d011a07}
 New State:  56
 Resource Manager: {fec2d846-237a-19e1-976f-ef16c05d3ca3}

Process Information:
 Process ID:  0x390
 Process Name:  C:\Windows\System32\svchost.exe

How to enable Event ID 4985 by Local Security Policy

1. Open the Local Security Policy by running the command secpol.msc.
2. Go to the node Audit Policy (Security Settings->Local Policy->Audit Policy).
3. In the right side pane, select the policy Audit object access and configure Success setting.



4. In Window 7/Windows Server 2008 R2 and later versions, you can also configure through Advanced Audit Policy Configuration. Go to the node Object Access (Security Settings->Advanced Audit Policy Configuration->System Audit Polices->Object Access).

5. In the right side pane, select the policy Audit File System configure Success setting.



How to enable Event ID 4985 by Auditpol.exe

Auditpol.exe is the command line utility tool to change Audit Security settings as category and sub-category level. It is available by default Windows 2008 R2 and later versions/Windows 7 and later versions.

By using Auditpol, we can get/set Audit Security settings per user level and computer level.

Note: You should run Auditpol command with elevated privilege (Run As Administrator);

You can enable Event ID 4985 through File System subcategory by using the following command
auditpol /set /subcategory:"File System" /success:enable
To update or refresh GPO settings, run the command gpupdate/force

How to disable/stop Event 4985

You can disable or stop the audit Event ID 4985 by removing success audit in File System subcategory by using the following command.
auditpol /set /subcategory:"File System" /success:disable
You can also stop this event by removing the success setting from the Local Security Policy in the setting path Security Settings->Advanced Audit Policy Configuration->System Audit Polices->Object Access->Audit File System.


Advertisements
Advertisements

No comments:

Post a Comment