Event ID: 4656

A handle to an object was requested

A handle to an object was requested.

    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:           %4

    Object Server:       %5
    Object Type:         %6
    Object Name:         %7
    Handle ID:           %8
    Resource Attributes: %17 [Windows 8/2012+]

Process Information:
    Process ID:         %15
    Process Name:       %16

Access Request Information:
    Transaction ID:     %9
    Accesses:           %10
    Access Reasons:     %11 [Windows 8/2012+]
    Access Mask:        %12
    Privileges Used for Access Check:   %13
    Restricted SID Count:   %14
Microsoft Documentation

Event ID - 4656

This event indicates that specific access was requested for an object. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device.

If access was declined, a Failure event is generated.

This event generates only if the object’s SACL has the required ACE to handle the use of specific access rights.

This event shows that access was requested, and the results of the request, but it doesn’t show that the operation was performed. To see that the operation was performed, check event 4663 (An attempt was made to access an object).

Object Types: (ObjectType)

Directory Event Timer Device
Mutant Type File Token
Thread Section WindowStation DebugObject
FilterCommunicationPort EventPair Driver IoCompletion
Controller SymbolicLink WmiGuid Process
Profile Desktop KeyedEvent Adapter
Key WaitablePort Callback Semaphore
Job Port Filter ConnectionPort ALPC Port

Most common access rights for file system objects: (AccessList)

Access Hexadecimal Value, Schema Value Description
ReadData (or ListDirectory) 0x1, %%4416 ReadData - For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data. ListDirectory - For a directory, the right to list the contents of the directory.
WriteData (or AddFile) 0x2, %%4417 WriteData - For a file object, the right to write data to the file. For a directory object, the right to create a file in the directory (FILE_ADD_FILE). AddFile - For a directory, the right to create a file in the directory.
AppendData (or AddSubdirectory or CreatePipeInstance) 0x4, %%4418 AppendData - For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without FILE_WRITE_DATA.) For a directory object, the right to create a subdirectory (FILE_ADD_SUBDIRECTORY). AddSubdirectory - For a directory, the right to create a subdirectory. CreatePipeInstance - For a named pipe, the right to create a pipe.
ReadEA 0x8, %%4419 The right to read extended file attributes.
WriteEA 0x10, %%4420 The right to write extended file attributes.
Execute/Traverse 0x20, %%4421 Execute - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter. Traverse - For a directory, the right to traverse the directory. By default, users are assigned the BYPASS_TRAVERSE_CHECKING  privilege, which ignores the FILE_TRAVERSE  access right. See the remarks in File Security and Access Rights for more information.
DeleteChild 0x40, %%4422 For a directory, the right to delete a directory and all the files it contains, including read-only files.
ReadAttributes 0x80, %%4423 The right to read file attributes.
WriteAttributes 0x100, %%4424 The right to write file attributes.
DELETE 0x10000, %%1537 The right to delete the object.
READ_CONTROL 0x20000, %%1538 The right to read the information in the object's security descriptor, not including the information in the system access control list (SACL).
WRITE_DAC 0x40000, %%1539 The right to modify the discretionary access control list (DACL) in the object's security descriptor.
WRITE_OWNER 0x80000, %%1540 The right to change the owner in the object's security descriptor
SYNCHRONIZE 0x100000, %%1541 The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right.
ACCESS_SYS_SEC 0x1000000, %%1542 The ACCESS_SYS_SEC access right controls the ability to get or set the SACL in an object's security descriptor.

Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any S-1-5-21-3457937927-2839227994-823803824-1104
Account Name SubjectUserName %2 Any UserName
Account Domain SubjectDomainName %3 Any DOMAIN
Logon ID SubjectLogonId %4 Any 0x4367b
Object Server ObjectServer %5 Any Security
Object Type ObjectType %6 Any File
Object Name ObjectName %7 Any C:\Documents\test file.txt
Handle ID HandleId %8 Any 0x0
Transaction ID TransactionId %9 Any {00000000-0000-0000-0000-000000000000}
Accesses AccessList %10 Any View Codes
Access Reasons AccessReason %11 Win 8/2012+ See Description for full example value.
Access Mask AccessMask %12 Any 0x12019f
Privileges Used for Access Check PrivilegeList %13 Any View Codes
Restricted SID Count RestrictedSidCount %14 Any 0
Process ID ProcessId %15 Any 0x1074
Process Name ProcessName %16 Any C:\Windows\System32\notepad.exe
Resource Attributes ResourceAttributes %17 Win 8/2012+ S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /category:"Object Access"
How to enable Windows Auditing

LEFT/RIGHT arrow keys for navigation

Back to List