Event ID: 4657

A registry value was modified 

A registry value was modified.

Subject:
    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:           %4

Object:
    Object Name:        %5
    Object Value Name:  %6
    Handle ID:          %7
    Operation Type:     %8

Process Information:
    Process ID:         %13
    Process Name:       %14

Change Information:
    Old Value Type:     %9
    Old Value:          %10
    New Value Type:     %11
    New Value:          %12


This event only logs changes to registry values, to see when a registry key is added or deleted, refer to event 4663.

Microsoft Documentation

Event ID - 4657



Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any THEDOMAIN\TheUser
Account Name SubjectUserName %2 Any TheUser
Account Domain SubjectDomainName %3 Any THEDOMAIN
Logon ID SubjectLogonId %4 Any 0x364ef
Object Name ObjectName %5 Any \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Object Value Name ObjectValueName %6 Any New_Name
Handle ID HandleId %7 Any 0x54
Operation Type OperationType %8 Any Existing registry value modified
Old Value Type OldValueType %9 Any REG_SZ
Old Value OldValue %10 Any
New Value Type NewValueType %11 Any REG_SZ
New Value NewValue %12 Any Andreas
Process ID ProcessId %13 Any 0xec43
Process Name ProcessName %14 Any C:\Windows\regedit.exe

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:Registry
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows Vista Windows 2008 Windows 7 Windows 2008 R2 Windows 8 Windows 2012 Windows 8.1 Windows 2012 R2 Windows 10 Windows 2016 Windows 2019 Windows 2022

Tags:
Audit Success
Audit Category:
Object Access

Audit Subcategory:
Registry
Legacy Events:
567

Correlated Events:
4624 4656 4688 4663

LEFT/RIGHT arrow keys for navigation

Back to List