Windows Security Log Event ID 4865

Operating Systems	Windows 2008 R2 and 7 Windows 2012 R2 and 8.1 Windows 2016 and 10 Windows Server 2019 and 2022
Category • Subcategory	Policy Change • Authentication Policy Change
Type	Success
Corresponding events in Windows 2003 and before

4865: A trusted forest information entry was added

On this page

Description of this event
Field level details
Examples
Mini-seminars on this event

This event is logged cross-forest trust relationships are created or modified. You will get several of these events per trust.

Windows stores trust relationships as Trusted Domain Objects (see events 4706, 4707, 4716) but cross-forest trusts require extra information stored in several entries in the TDO's Forest Trust Information attribute (aka FTInfo). FTInfo includes the all namespaces that a trusted forest manages, with other fields that indicate whether each claim is actually trusted by the trusting (this) forest.

This event, 4865, documents creation of each of such entries. You can link all the entries created at one time by the Operation ID:.

Not all elements are filled in for each entry type.

Free Security Log Resources by Randy

Description Fields in 4865

Subject:

The ID and logon session of the user that created the entry.

Security ID: The SID of the account.
Account Name: The account logon name.
Account Domain: The domain or - in the case of local accounts - computer name.
Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

Trust Information:

The elements in the Forest Trust Information entry.

Forest Root: The DNS name of the forest root domain of the other forest in this trust relationship.
Forest Root SID: The SID of the Forest Root: - usually translated to the pre-Win2k domain name.
Operation ID: allows you to correlate all the events that are part of this operation
Entry Type:

ForestTrustTopLevelName

This record identifies a domain (Top Level Name below) of the trusted forest that this forest trusts.

ForestTrustTopLevelNameEx

This record identifies a domain (Top Level Name below) of the trusted forest that this forest does not trust (excluded)

ForestTrustDomainInfo

This record contains an LSA_FOREST_TRUST_DOMAIN_INFO structure which includes

Sid
DnsName
NetbiosName

Flags: seems to always be 0
Top Level Name: The domain that is trusted or untrusted (excluded) see Entry Types 0 and 1 above.
DNS Name: see see LSA_FOREST_TRUST_DOMAIN_INFO above
NetBIOS Name: see LSA_FOREST_TRUST_DOMAIN_INFO above
Domain SID: see LSA_FOREST_TRUST_DOMAIN_INFO above

Supercharger Free Edition

Your entire Windows Event Collection environment on a single pane of glass.

Free.

Examples of 4865

A trusted forest information entry was added.

Subject:

   Security ID: ACME-FR\administrator
   Account Name: administrator
   Account Domain: ACME-FR
   Logon ID: 0x20f9d

Trust Information:

   Forest Root: mtg.local
   Forest Root SID: MTG\
   Operation ID: 0x3669eb
   Entry Type: 0
   Flags: 0
   Top Level Name: mtg.local
   DNS Name: -
   NetBIOS Name: -
   Domain SID: NULL SID

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

Upcoming Webinars

Additional Resources

Encyclopedia

•	Event IDs
•	All Event IDs
•	Audit Policy

Go To Event ID:

Must be a 1-5 digit number No such event ID

Security Log
Quick Reference
Chart
Download now!

User name:
Password:
	/ Forgot?
	Register

April 2024 Patch Tuesday	"Patch Tuesday - One Zero Day and Record Number of Patches! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.