Event ID 4656 – A Handle To An Object Was Requested
|Sub-Category||Audit File System; Audit Kernel Object; Audit Registry|
|Type||Success Audit; Failure Audit|
|Description||A handle to an object was requested.|
When specific access is requested for an object, event ID 4656 is logged. The object for which access is requested can be of any type — file system, kernel, registry object, or a file system object stored on a removable device.
If access is denied, it is logged as a failure audit. This event shows the result of the access request (which is logged by 4663).
This log data provides the following information:
- Security ID
- Account Name
- Account Domain
- Logon ID
- Object Server
- Object Type
- Object Name
- Handle ID
- Resource Attributes
- Process ID
- Process Name
- Transaction ID
- Access Type
- Access Reasons
- Access Mask
- Privileges Used for Access Check
- Restricted SID Count
Why does event ID 4656 need to be monitored?
- To check if unauthorized or restricted processes are requesting objects
- If a particular object is sensitive and critical, and all access attempts need to be monitored
- To monitor actions of high value accounts
- To detect anomalies and malicious actions
- To ensure non-active, external, and restricted accounts are not used
- To ensure that only white-listed accounts perform certain specific actions
- To enforce conventions and compliances
ADAudit Plus provides real-time pre-configured reports and auditing of the changes along with alerts within a Domain & OU. The advanced Group Policy settings real-time audit reports provide detailed information about object related events.
Event 4656 applies to the following operating systems:
- Windows 2008 R2 and 7
- Windows 2012 R2 and 8.1
- Windows 2016 and 10
Corresponding event in Windows 2003 and before: 560.