Windows Security Log Event ID 4865

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
 • Subcategory
Policy Change
 • Authentication Policy Change
Type Success
Corresponding events
in Windows 2003
and before

4865: A trusted forest information entry was added

On this page

This event is logged cross-forest trust relationships are created or modified.  You will get several of these events per trust. 

Windows stores trust relationships as Trusted Domain Objects (see events 4706, 4707, 4716) but cross-forest trusts require extra information stored in several entries in the TDO's Forest Trust Information attribute (aka FTInfo).  FTInfo includes the all namespaces that a trusted forest manages, with other fields that indicate whether each claim is actually trusted by the trusting (this) forest.

This event, 4865, documents creation of each of such entries.  You can link all the entries created at one time by the Operation ID:.

Not all elements are filled in for each entry type.

Free Security Log Resources by Randy

Description Fields in 4865


The ID and logon session of the user that created the entry. 

  • Security ID:  The SID of the account.
  • Account Name: The account logon name.
  • Account Domain: The domain or - in the case of local accounts - computer name.
  • Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

Trust Information:

The elements in the Forest Trust Information entry.

  • Forest Root: The DNS name of the forest root domain of the other forest in this trust relationship.
  • Forest Root SID: The SID of the Forest Root: - usually translated to the pre-Win2k domain name.
  • Operation ID: allows you to correlate all the events that are part of this operation
  • Entry Type:

0 ForestTrustTopLevelName This record identifies a domain (Top Level Name below) of the trusted forest that this forest trusts. 
1 ForestTrustTopLevelNameEx This record identifies a domain (Top Level Name below) of the trusted forest that this forest does not trust (excluded)
2 ForestTrustDomainInfo

This record contains an LSA_FOREST_TRUST_DOMAIN_INFO structure which includes

  • Sid
  • DnsName
  • NetbiosName

  • Flags: seems to always be 0
  • Top Level Name: The domain that is trusted or untrusted (excluded) see Entry Types 0 and 1 above.
  • DNS Name: see see LSA_FOREST_TRUST_DOMAIN_INFO above

Supercharger Free Edition

Supercharger's built-in Xpath filters leave the noise behind.



Examples of 4865

A trusted forest information entry was added.


   Security ID:  ACME-FR\administrator
   Account Name:  administrator
   Account Domain:  ACME-FR
   Logon ID:  0x20f9d

Trust Information:

   Forest Root: mtg.local
   Forest Root SID: MTG\
   Operation ID: 0x3669eb
   Entry Type: 0
   Flags: 0
   Top Level Name: mtg.local
   DNS Name: -
   NetBIOS Name: -
   Domain SID: NULL SID

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection


Additional Resources