Thoughts here? This is a user workstation. Same event log id (4656), but for a directory recursive monitor by FIM (PCI template)
| Event Field | Information |
| Event Name | FileAuditFailure |
| EventInfo | File open failed "C:\Windows\System32\mfc42u.dll" user "XXXXXXXX$" |
| InsertionIP | XXXXXXXXXX |
| Manager | LEM |
| DetectionIP | XXXXXXXX |
| InsertionTime | 15:50:27 Wed May 04 2016 |
| DetectionTime | 15:50:12 Wed May 04 2016 |
| Severity | 3 |
| ToolAlias | Vista Security |
| InferenceRule | |
| ProviderSID | Microsoft-Windows-Security-Auditing 4656 |
| ExtraneousInfo | ProcessName: C:\Windows\System32\services.exe |
| SourceAccount | XXXXXXXXXX |
| SourceDomain | ZZZ |
| SourceLogonID | 0x3e7 |
| DestinationAccount | |
| DestinationDomain | |
| DestinationLogonId | |
| AccessRequested | READ_CONTROL WRITE_DAC |
| PrivilegesExercised | 0x60000 |
| FileName | C:\Windows\System32\mfc42u.dll |
| FileHandleID | 0x0 |
| OperationID | 0 |
| ServingProcess | 0x21c |
| AccessProperties | Mask: READ_CONTROL: Granted by D:(A;;0x1200a9;;;BA) WRITE_DAC: Not granted |
| OperationType | FileOpenFailure |