Event ID: 4663

An attempt was made to access an object

An attempt was made to access an object.

    Security ID:         %1
    Account Name:        %2
    Account Domain:      %3
    Logon ID:            %4

    Object Server:       %5
    Object Type:         %6
    Object Name:         %7
    Handle ID:           %8
    Resource Attributes: %13 [Windows 8/2012+]

Process Information:
    Process ID:          %11
    Process Name:        %12

Access Request Information:
    Accesses:            %9
    Access Mask:         %10

An operation was performed on either a file system, kernel, registry object, or a file system object on removable storage or a device.

Note: Auditing will still need to be set on the actual target objects (e.g. folder, registry key, ...) to actually generate this event. Right-click the object, and select Properties -> Security -> Advanced -> Auditing and add the desired audit settings.

Removable Storage: In order to audit write activity on removable storage, the HotplugSecureOpen DWORD registry value will need to be created/set to 1 on newer Windows 10 editions (reboot required):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Storage\HotplugSecureOpen (DWORD -> 1)

Auditing:     Always

It's always recommended to enable this audit category, since the actual events are only generated when auditing on an object (e.g. directory) is enabled.


The volume entirely depends on the amount of objects (e.g. files) with auditing enabled along with the frequency of audit-able access of those objects.


How to detect & defeat malware using event 4663.

Microsoft Documentation

Event ID - 4663

Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any DOMAIN\Username
Account Name SubjectUserName %2 Any Username
Account Domain SubjectDomainName %3 Any DOMAIN
Logon ID SubjectLogonId %4 Any 0x4897B
Object Server ObjectServer %5 Any Security
Object Type ObjectType %6 Any File
Object Name ObjectName %7 Any C:\Windows\System32\eventvwr.exe
Handle ID HandleId %8 Any 0x1bc
Accesses AccessList %9 Any View Codes
AccessMask AccessMask %10 Any 0x2
Process ID ProcessId %11 Any 0x8745
Process Name ProcessName %12 Any C:\Windows\System32\notepad.exe
ResourceAttributes Resource Attributes %13 Win8/2012+ S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /category:"Object Access"

LEFT/RIGHT arrow keys for navigation

Back to List