Event ID: 4663

An attempt was made to access an object 

An attempt was made to access an object.

Subject:
    Security ID:         %1
    Account Name:        %2
    Account Domain:      %3
    Logon ID:            %4

Object:
    Object Server:       %5
    Object Type:         %6
    Object Name:         %7
    Handle ID:           %8
    Resource Attributes: %13 [Windows 8/2012+]

Process Information:
    Process ID:          %11
    Process Name:        %12

Access Request Information:
    Accesses:            %9
    Access Mask:         %10


An operation was performed on either a file system, kernel, registry object, or a file system object on removable storage or a device.

Note: Auditing will still need to be set on the actual target objects (e.g. folder, registry key, ...) to actually generate this event. Right-click the object, and select Properties -> Security -> Advanced -> Auditing and add the desired audit settings.

Removable Storage: In order to audit write activity on removable storage, the HotplugSecureOpen DWORD registry value will need to be created/set to 1 on newer Windows 10 editions (reboot required):

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Storage\HotplugSecureOpen (DWORD -> 1)

Auditing:     Always

It's always recommended to enable this audit category, since the actual events are only generated when auditing on an object (e.g. directory) is enabled.


Volume:

The volume entirely depends on the amount of objects (e.g. files) with auditing enabled along with the frequency of audit-able access of those objects.


CJIS 5.04.1.1.2.d

How to detect & defeat malware using event 4663.


Microsoft Documentation

Event ID - 4663



Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any DOMAIN\Username
Account Name SubjectUserName %2 Any Username
Account Domain SubjectDomainName %3 Any DOMAIN
Logon ID SubjectLogonId %4 Any 0x4897B
Object Server ObjectServer %5 Any Security
Object Type ObjectType %6 Any File
Object Name ObjectName %7 Any C:\Windows\System32\eventvwr.exe
Handle ID HandleId %8 Any 0x1bc
Accesses AccessList %9 Any View Codes
AccessMask AccessMask %10 Any 0x2
Process ID ProcessId %11 Any 0x8745
Process Name ProcessName %12 Any C:\Windows\System32\notepad.exe
ResourceAttributes Resource Attributes %13 Win8/2012+ S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /category:"Object Access"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows Vista Windows 2008 Windows 7 Windows 2008 R2 Windows 8 Windows 2012 Windows 8.1 Windows 2012 R2 Windows 10 Windows 2016 Windows 2019 Windows 2022

Tags:
Audit Success CJIS
Audit Category:
Object Access

Audit Subcategory:
File System Kernel Object Registry Removable Storage
Legacy Events:
567

Correlated Events:
4624 4656 4688

LEFT/RIGHT arrow keys for navigation

Back to List