Windows Server 2003
Object Access Attempt
On this page
Event 567 logs the actual permissions exercised by the user/program on the object after opening it. While event 560 logs the permissions the user/program obtained to the file or other object at the time it was opened, Event 567 asserts that the Accesses where actually used.
For this event to be useful - that is to identify the object accessed - you must find the preceding event 560 with the corresponding Handle ID.
While a user/program may repeatedly perform an operation on an open object, Windows only logs the first time a given permission is used. (I.E. a user may open a file and repeatedly save it while working on the file, but Windows will only log the first time WriteData permission was exercised to save the file)
See event ID 560 for additional information.