I have set up "Audit object access" on a Windows Server 2008-R2. I then went to a specific folder properties/security/advanced/auditing and added an entry for Everyone and checked both Successful and Failed for the "Create files/Write data" item.

This all works fine and in Event-Viewer/Windows Logs/Security I'll see the Event ID 4656 with Task Category "File System" and I'll see my userid and "Notepad.exe" when I edit a file in that folder, as a test. However, I also now see thousands (literally several thousand--as many as 50 per second) of other events of same Event ID but with Task Category of "Other Object Access" with details like "A handle to an object was requested", Object Server = "PlugPlayManager", Process = Svchost.exe. These didn't exist before setting up this auditing.

So, I know I can filter the event log by certain things, but not Task Category, and the main issue is that I simply don't care about those other events--I just want to track who edited a file, period. I don't care about the thousands (and as I write this it's now in the tens of thousands) of those other events. How can I stop those "Other Object Access Events" and only audit file edits? Thanks