Event ID 4657

A registry value was modified

A registry value was modified.

Subject:
    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:           %4

Object:
    Object Name:        %5
    Object Value Name:  %6
    Handle ID:          %7
    Operation Type:     %8

Process Information:
    Process ID:         %13
    Process Name:       %14

Change Information:
    Old Value Type:     %9
    Old Value:          %10
    New Value Type:     %11
    New Value:          %12

This event only logs changes to registry values, to see when a registry key is added or deleted, refer to event 4663.

Microsoft Documentation

Event ID - 4657

	Field	Insertion String	OS	Example
Security ID	SubjectUserSid	%1	Any	THEDOMAIN\TheUser
Account Name	SubjectUserName	%2	Any	TheUser
Account Domain	SubjectDomainName	%3	Any	THEDOMAIN
Logon ID	SubjectLogonId	%4	Any	0x364ef
Object Name	ObjectName	%5	Any	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Object Value Name	ObjectValueName	%6	Any	New_Name
Handle ID	HandleId	%7	Any	0x54
Operation Type	OperationType	%8	Any	Existing registry value modified
Old Value Type	OldValueType	%9	Any	REG_SZ
Old Value	OldValue	%10	Any
New Value Type	NewValueType	%11	Any	REG_SZ
New Value	NewValue	%12	Any	Andreas
Process ID	ProcessId	%13	Any	0xec43
Process Name	ProcessName	%14	Any	C:\Windows\regedit.exe

Lookup Audit Policy Configuration Settings


  C:\> AuditPol.exe /get  /subcategory:Registry

How to enable Windows Auditing

Recommended Audit Policy

Operating Systems:

Windows Vista Windows 2008 Windows 7 Windows 2008 R2 Windows 8 Windows 2012 Windows 8.1 Windows 2012 R2 Windows 10 Windows 2016 Windows 2019 Windows 2022

Tags:

Audit Success

Audit Category:

Object Access

Audit Subcategory:

Registry

Legacy Events:

567

Correlated Events:

4624 4656 4688 4663

LEFT/RIGHT arrow keys for navigation

Back to List