Event ID 4658

The handle to an object was closed

The handle to an object was closed.

Subject :
    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:           %4

Object:
    Object Server:      %5
    Handle ID:          %6

Process Information:
    Process ID:         %7
    Process Name:       %8

Auditing:

It's not recommended to audit the "Kernel Object" subcategory.

Microsoft Documentation

Event ID - 4658

	Field	Insertion String	OS	Example
Security ID	SubjectUserSid	%1	Any	THEDOMAIN\UserAbc
Account Name	SubjectUserName	%2	Any	UserAbc
Account Domain	SubjectDomainName	%3	Any	THEDOMAIN
Logon ID	SubjectLogonId	%4	Any	0x43543
Object Server	ObjectServer	%5	Any	Security
Handle ID	HandleId	%6	Any	0x1808
Process ID	ProcessId	%7	Any	0xef82
Process Name	ProcessName	%8	Any	C:\Windows\System32\explorer.exe

Lookup Audit Policy Configuration Settings


  C:\> AuditPol.exe /get /category:"Object Access"

How to enable Windows Auditing

Recommended Audit Policy

Operating Systems:

Windows Vista Windows 2008 Windows 7 Windows 2008 R2 Windows 8 Windows 2012 Windows 8.1 Windows 2012 R2 Windows 10 Windows 2016 Windows 2019 Windows 2022

Tags:

Audit Success

Audit Category:

Object Access

Audit Subcategory:

File System Handle Manipulation Kernel Object Registry Removable Storage

Legacy Events:

562

Correlated Events:

4656

LEFT/RIGHT arrow keys for navigation

Back to List