Event ID 4690

An attempt was made to duplicate a handle to an object 

An attempt was made to duplicate a handle to an object.

Subject:
    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:           %4

Source Handle Information:
    Source Handle ID:   %5
    Source Process ID:  %6

New Handle Information:
    Target Handle ID:   %7
    Target Process ID:  %8


This event generates if an attempt was made to duplicate a handle to an object.

Auditing:     Rarely

This event has little security relevance.


Microsoft Documentation

Event ID - 4690



Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any S-1-5-18
Account Name SubjectUserName %2 Any DC01$
Account Domain SubjectDomainName %3 Any DOMAIN
Logon ID SubjectLogonId %4 Any 0x3e7
Source Handle ID SourceHandleId %5 Any 0x438
Source Process ID SourceProcessId %6 Any 0x674
Target Handle ID TargetHandleId %7 Any 0xd9c
Target Process ID TargetProcessId %8 Any 0x4

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"Handle Manipulation"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows Vista Windows 2008 Windows 2008 R2 Windows 7 Windows 2012 Windows 2012 R2 Windows 8 Windows 8.1 Windows 10 Windows 2016 Windows 2019 Windows 2022

Tags:
Audit Success
Audit Category:
Object Access

Audit Subcategory:
Handle Manipulation
Legacy Events:
594

Correlated Events:
4663

LEFT/RIGHT arrow keys for navigation

Back to List