Event ID 4985

The state of a transaction has changed 

The state of a transaction has changed.

Subject:
    Security ID:    %1
    Account Name:   %2
    Account Domain: %3
    Logon ID:       %4

Transaction Information:
    RM Transaction ID: %5
    New State:         %6
    Resource Manager:  %7

Process Information:
    Process ID:   %8
    Process Name: %9


This is an informational event from file system Transaction Manager.

Auditing:     Conditional

Little security relevance, mostly used for troubleshooting.


Microsoft Documentation

Event ID - 4985



Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any S-1-5-18
Account Name SubjectUserName %2 Any DC01$
Account Domain SubjectDomainName %3 Any DOMAIN
Logon ID SubjectLogonId %4 Any 0x3e7
RM Transaction ID TransactionId %5 Any {17EF5E21-5E2C-11E5-810F-00155D987005}
New State NewState %6 Any 52
Resource Manager ResourceManager %7 Any {5F5ED427-FCCA-11E3-BD73-B54AB417B853}
Process ID ProcessId %8 Any 0x370
Process Name ProcessName %9 Any C:\Windows\System32\svchost.exe

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"File System"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows Vista Windows 2008 Windows 2008 R2 Windows 7 Windows 2012 Windows 2012 R2 Windows 8 Windows 8.1 Windows 10 Windows 2016 Windows 2019 Windows 11 Windows 2022

Tags:
Audit Success
Audit Category:
Object Access

Audit Subcategory:
File System

LEFT/RIGHT arrow keys for navigation

Back to List