Large number of Event 4663 in Windows Security Log
search cancel

Large number of Event 4663 in Windows Security Log


Article ID: 186867


Updated On:


Endpoint Protection


On a computer with the Symantec Endpoint Protection Manager installed, you are seeing an excessive number of Event 4663 entries written to the Windows Security Event log.  The Task Category is "Removable Storage".  This is consuming disk space on the server holding the manager.  


Release : 14.x



The Symantec Endpoint Protection Manager has been installed to a volume labeled as hot-pluggable and Windows has been configured to audit access on removable devices.  Normally this is seen in virtual environments with the SEPM installed to a partition other than the C partition.

One example of a GPO setting that could be auditing removable devices is:

Computer Configuration\Security Settings\Advanced Audit Policy Configuration\Object Access\Audit Removable Storage


Reconfigure the partition where the SEPM is installed so that the OS sees it as a fixed disk rather than a hot-pluggable disk.  This is done through your virtualization software and will normally need to be done with the VM shut down.

Alternately, disable auditing of object access on removable devices.