Hi all
I find so many event ID 560 recently:
Object Open:
Object Server: SC Manager
Object Type: SC_MANAGER OBJECT
Object Name: ServicesActive
Handle ID: -
Operation ID: {0,2507426418}
Process ID: 532
Image File Name: C:\WINNT\system32\services.exe
Primary User Name: computername$
Primary Domain: HK
Primary Logon ID: (0x0,0x3E7)
Client User Name: I123 Client Domain: HK2 Client Logon ID: (0x0,0x957449BC)
Accesses: READ_CONTROL
Connect to service controller
Enumerate services
Query service database lock state
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x20015
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
How can I know more detail, like the source address ? what exactly the user is accessing ??