567
Security
Object Access
Object Access Attempt:
Object Server: Security
Handle ID: 9780
Object Type: File
Process ID: 904
Image File Name: C:\WINDOWS\system32\svchost.exe
Accesses: WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
Access Mask: 0x6
This is event is a so-called "operational" event that was introduced with Windows XP and Windows Server 2003.
Contrary to the better-known 560 event, event 567 only logs which access on an object is in fact being performed.
In the event above, svchost.exe changes and/or appends data to a file which was opened under handle 9780.
While event 567 is an improvement over the 560 event, it has two major problems that make it less useful:
1. The event is only logged for files that are accessed locally. For example, if you access a file remotely through a file share, then event 567 will NOT be logged. I have confirmed with this Microsoft's support and there are no plans to fix this in Windows XP or Windows Server 2003.
2. In order to find out which object is being accessed, you will need to find the previously logged 560 event that shows the same handle id as the 567 event.
If operational events are important in your environment, then I recommend that you upgrade to Windows Server 2008 which logs operational events correctly and does not suffer from the previously mentioned problems. Vista and Windows Server 2008 log the same event with id 4663.