Event ID 4670

Permissions on an object were changed

Permissions on an object were changed.

Subject:
    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:           %4

Object:
    Object Server:      %5
    Object Type:        %6
    Object Name:        %7
    Handle ID:          %8

Process:
    Process ID:         %11
    Process Name:       %12

Permissions Change:
    Original Security Descriptor:   %9
    New Security Descriptor:        %10

Microsoft Documentation

Event ID - 4670

	Field	Insertion String	OS	Example
Security ID	SubjectUserSid	%1	Any	THEDOMAIN\UserOne
Account Name	SubjectUserName	%2	Any	UserOne
Account Domain	SubjectDomainName	%3	Any	THEDOMAIN
Logon ID	SubjectLogonId	%4	Any	0x46857
Object Server	ObjectServer	%5	Any	Security
Object Type	ObjectType	%6	Any	File
Object Name	ObjectName	%7	Any	C:\Files\info.txt
Handle ID	HandleId	%8	Any	0x3f0
Original Security Descriptor	OldSd	%9	Any	D:AI(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-2104)(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)
New Security Descriptor	NewSd	%10	Any	D:ARAI(A;OICI;FA;;;WD)(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-2104)(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)
Process ID	ProcessId	%11	Any	0xdb0
Process Name	ProcessName	%12	Any	C:\Windows\system32\dllhost.exe

Lookup Audit Policy Configuration Settings


  C:\> AuditPol.exe /get /category:"Object Access"

How to enable Windows Auditing

Recommended Audit Policy

Operating Systems:

Windows Vista Windows 2008 Windows 7 Windows 2008 R2 Windows 8 Windows 2012 Windows 8.1 Windows 2012 R2 Windows 10 Windows 2016 Windows 2019 Windows 2022

Tags:

Audit Success

Audit Category:

Object Access

Audit Subcategory:

File System Registry Authentication Policy Change Authorization Policy Change

Correlated Events:

4624 4663 4688

LEFT/RIGHT arrow keys for navigation

Back to List