Event ID: 4661

A handle to an object was requested

A handle to an object was requested.

Subject :
    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:           %4

Object:
    Object Server:      %5
    Object Type:        %6
    Object Name:        %7
    Handle ID:          %8

Process Information:
    Process ID:         %15
    Process Name:       %16

Access Request Information:
    Transaction ID:     %9
    Accesses:           %10
    Access Mask:        %11
    Privileges Used for Access Check:   %12
    Properties:         %13
    Restricted SID Count:   %14
Microsoft Documentation

Event ID - 4661



Indicates that a handle was requested for either an Active Directory object or a Security Account Manager (SAM) object.

If access was declined then an Audit Failure event is generated.

This event generates only if Success auditing is enabled for the Audit Handle Manipulation subcategory.



Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any SOMEDOMAIN\UserOne
Account Name SubjectUserName %2 Any UserOne
Account Domain SubjectDomainName %3 Any SOMEDOMAIN
Logon ID SubjectLogonId %4 Any 0x4290f
Object Server ObjectServer %5 Any Security Account Manager
Object Type ObjectType %6 Any SAM_DOMAIN
Object Name ObjectName %7 Any DC=somedomain,DC=local
Handle ID HandleId %8 Any 0xdd64d85704
Transaction ID TransactionId %9 Any {00000000-0000-0000-0000-000000000000}
Accesses AccessList %10 Any ListAccounts
Access Mask AccessMask %11 Any 0x2D
Privilege Used for Access Check PrivilegeList %12 Any View Codes
Properties Properties %13 Any -
Restricted SID Count RestrictedSidCount %14 Any 2949165
Process ID ProcessId %15 Any 0x7200a000e002d
Process Name ProcessName %16 Any


Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /category:"DS Access"
How to enable Windows Auditing



LEFT/RIGHT arrow keys for navigation

Back to List