Tuesday, 13 August 2013

Event ID 4656 - Repeated Security Event log - PlugPlayManager

   I have got an issue while working with File System Auditing where the event ID is being repeatedly logged on my server 2008 R2 machine. Since I was in need of analyzing every events by manually, I have really stuck with huge amount of 4656 events for the object PlugPlayManager. So that I have decided to analyze reason for generating these events.

See the event in this picture

PlugPlayManager Event 4656 Object Access

Possible Solution: 1
Event 4656 should occur if the Success or Failure audit was enabled for Handle Manipulation using command line tool Auditpol.
Subcategory: Handle Manipulation
You will get following three Event IDs if Handle Manipulation enabled
4656 A handle to an object was requested.
4658 The handle to an object was closed.
4690 An attempt was made to duplicate a handle to an object.
If you would like to get rid of these Object Access event 4656 then you need to run the following command:
Auditpol /set /subcategory:"Handle Manipulation" /Success:disable
Possible Solution: 2
    You can also check the Advanced Audit Policy Configuration in Local Security Policy.
1.Press the key Windows + R
2.Type command secpol.msc and click OK
3.Then go to the node Advanced Audit Policy Configuration->Object Access.
4.Check the audit setting Audit Handle Manupulation. If it is configured as Success, you can revert it Not Configured and Apply the setting.
Event ID 4656 - Repeated Security Event log - PlugPlayManager

Possible Solution: 3
    If the setting is inherited from any other GPO to Local Security Policy,You need to edit the specific GPO which is configured with the Setting Audit Handle Manupulation. You can find the GPO by running Resultant Set of Policy. 
1.Press the key Windows + R 
2.Type command rsop.msc and click OK.
3.Now you can the below result window. Then go to the node Computer Configuration ->Windows Settings ->Local Polices-> Audit Policy.
Event ID 4656 - Repeated Security Event log - PlugPlayManager

  4.Now, you can see the Source GPO of the setting Audit Object Access which is the root Setting for Audit Handle Manipulation.
  5.Then you can edit the Audit Handle Manupulation of corresponding GPO by running GPMC.msc command through Run window or command window.
Note:You need run the command GPUpdate /force after every changes to apply group policy to system immediately.


1 comment:

  1. Isn't there a possible solution where you resolve whatever problem is causing those errors in the first place?