Event ID 4658 – The Handle To An Object Was Closed
|Sub-Category||File System; Handle Manipulation; Kernel Object; Registry; Removable Storage|
|Description||The handle to an object was successfully closed.|
Event 4658 is logged when the handle to an object is closed. This object could be of any type — file system, kernel, registry object, or a file system object stored on a removable device. This event is logged only if in the Audit Handle Manipulation subcategory, "Success" auditing is enabled.
This log data provides the following information:
- Security ID
- Account Name
- Account Domain
- Logon ID
- Object Server
- Handle ID
- Process ID
- Process Name
Why does event ID 4658 need to be monitored?
- To know how long a handle was open.
- To track actions and operations related to a particular object handle
- To monitor if restricted processes are closing handles
- To detect anomalies and malicious actions
- To ensure non-active, external, and restricted accounts are not used
- To ensure that only white-listed accounts perform certain closing actions
- To enforce conventions and compliances
ADAudit Plus provides real-time pre-configured reports and auditing of the changes along with alerts within a Domain & OU. The advanced Group Policy settings real-time audit reports provide detailed information about object related events.
Event 4658 applies to the following operating systems:
- Windows 2008 R2 and 7
- Windows 2012 R2 and 8.1
- Windows 2016 and 10
Corresponding event in Windows 2003 and before: 562