Event ID: 4663

An attempt was made to access an object

An attempt was made to access an object.

    Security ID:         %1
    Account Name:        %2
    Account Domain:      %3
    Logon ID:            %4

    Object Server:       %5
    Object Type:         %6
    Object Name:         %7
    Handle ID:           %8
    Resource Attributes: %13 [Windows 8/2012+]

Process Information:
    Process ID:          %11
    Process Name:        %12

Access Request Information:
    Accesses:            %9
    Access Mask:         %10
Microsoft Documentation

Event ID - 4663

An operation was performed on either a file system, kernel, registry object, or a file system object on removable storage or a device.

Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any DOMAIN\Username
Account Name SubjectUserName %2 Any Username
Account Domain SubjectDomainName %3 Any DOMAIN
Logon ID SubjectLogonId %4 Any 0x4897B
Object Server ObjectServer %5 Any Security
Object Type ObjectType %6 Any File
Object Name ObjectName %7 Any C:\Windows\System32\eventvwr.exe
Handle ID HandleId %8 Any 0x1bc
Accesses AccessList %9 Any View Codes
AccessMask AccessMask %10 Any 0x2
Process ID ProcessId %11 Any 0x8745
Process Name ProcessName %12 Any C:\Windows\System32\notepad.exe
ResourceAttributes Resource Attributes %13 Win8/2012+ S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /category:"Object Access"
How to enable Windows Auditing

LEFT/RIGHT arrow keys for navigation

Back to List