Event ID 4661

A handle to an object was requested 

A handle to an object was requested.

Subject :
    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:           %4

Object:
    Object Server:      %5
    Object Type:        %6
    Object Name:        %7
    Handle ID:          %8

Process Information:
    Process ID:         %15
    Process Name:       %16

Access Request Information:
    Transaction ID:     %9
    Accesses:           %10
    Access Mask:        %11
    Privileges Used for Access Check:   %12
    Properties:         %13
    Restricted SID Count:   %14


Indicates that a handle was requested for either an Active Directory object or a Security Account Manager (SAM) object.

If access was declined then an Audit Failure event is generated.

This event generates only if Success auditing is enabled for the Audit Handle Manipulation subcategory.

Auditing:     Rarely

Auditing not generally necessary since the most relevant information is already covered by other audit events.


Volume:     High Very High

Volume depends on server type and system activity, but can potentially be very high on domain controllers.


Microsoft Documentation

Event ID - 4661



Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any SOMEDOMAIN\UserOne
Account Name SubjectUserName %2 Any UserOne
Account Domain SubjectDomainName %3 Any SOMEDOMAIN
Logon ID SubjectLogonId %4 Any 0x4290f
Object Server ObjectServer %5 Any Security Account Manager
Object Type ObjectType %6 Any SAM_DOMAIN
Object Name ObjectName %7 Any DC=somedomain,DC=local
Handle ID HandleId %8 Any 0xdd64d85704
Transaction ID TransactionId %9 Any {00000000-0000-0000-0000-000000000000}
Accesses AccessList %10 Any ListAccounts
Access Mask AccessMask %11 Any 0x2D
Privilege Used for Access Check PrivilegeList %12 Any View Codes
Properties Properties %13 Any -
Restricted SID Count RestrictedSidCount %14 Any 2949165
Process ID ProcessId %15 Any 0x7200a000e002d
Process Name ProcessName %16 Any

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /category:"DS Access"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows Vista Windows 2008 Windows 7 Windows 2008 R2 Windows 8 Windows 2012 Windows 8.1 Windows 2012 R2 Windows 10 Windows 2016 Windows 2019 Windows 2022

Tags:
Domain Controller Audit Success Audit Failure
Audit Category:
DS Access

Audit Subcategory:
Directory Service Access SAM
Legacy Events:
565

LEFT/RIGHT arrow keys for navigation

Back to List