Thursday, 2 September 2010

Getting loads (thousands per second) of event 5145 for Detailed File Share on a Windows 2008 R2 File Server

On a recently built Windows 2008 R2 File Server, it was noticed that in the security log there were over 10000+ per second event 5145s for category 'Detailed File Share.'


Investigation into this pointed to an 'Advanced Audit Policy Configuration' item that is only available with Windows 2008 R2 and Windows 7; which is the subcategory item 'Audit Detailed File Share', and interestingly this was not configured.


It appears that if you have a domain or local policy that enables the normal 'Local Policies' → 'Audit Policy' for 'Audit object access' with Success and/or Failure


it causes the 'Audit Detailed File Share' to be configured unless you explicitly configure it with Success and/or Failure unticked.

After configuring the Local Security Policy on the file server with Success unticked (see below,) the number of security audit events recorded was drastically cut down, noticably reducing the CPU processing load.


Note: There is no granularity to this setting; it is either enabled or not across all the shares on the server.

5 comments:

  1. Thanks a lot !

    It's working well !

    ReplyDelete
  2. Thanks! This really helped me...

    ReplyDelete
  3. Easier way how to do that and get rid of 5145 events

    auditpol /set /subcategory:"Detailed File Share" /success:disable /failure:enable

    ReplyDelete
    Replies
    1. Thank you very much for the comment Pat!

      Delete
  4. Every day I visit a number of blog sites to see content, however this offers quality based content.
    lifeshield security review

    ReplyDelete