Event ID: 4670

Permissions on an object were changed 

Permissions on an object were changed.

Subject:
    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:           %4

Object:
    Object Server:      %5
    Object Type:        %6
    Object Name:        %7
    Handle ID:          %8

Process:
    Process ID:         %11
    Process Name:       %12

Permissions Change:
    Original Security Descriptor:   %9
    New Security Descriptor:        %10


Microsoft Documentation

Event ID - 4670



Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any THEDOMAIN\UserOne
Account Name SubjectUserName %2 Any UserOne
Account Domain SubjectDomainName %3 Any THEDOMAIN
Logon ID SubjectLogonId %4 Any 0x46857
Object Server ObjectServer %5 Any Security
Object Type ObjectType %6 Any File
Object Name ObjectName %7 Any C:\Files\info.txt
Handle ID HandleId %8 Any 0x3f0
Original Security Descriptor OldSd %9 Any D:AI(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-2104)(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)
New Security Descriptor NewSd %10 Any D:ARAI(A;OICI;FA;;;WD)(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-2104)(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)
Process ID ProcessId %11 Any 0xdb0
Process Name ProcessName %12 Any C:\Windows\system32\dllhost.exe

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /category:"Object Access"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows Vista Windows 2008 Windows 7 Windows 2008 R2 Windows 8 Windows 2012 Windows 8.1 Windows 2012 R2 Windows 10 Windows 2016 Windows 2019 Windows 2022

Tags:
Audit Success
Audit Category:
Object Access

Audit Subcategory:
File System Registry Authentication Policy Change Authorization Policy Change
Correlated Events:
4624 4663 4688

LEFT/RIGHT arrow keys for navigation

Back to List