Windows Security Log Event ID 4657

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Category
 • Subcategory
Object Access
 • Registry
Type Success
Corresponding events
in Windows 2003
and before
567  
Discussions on Event ID 4657
Regarding the event for "A registry value was modified"
Generation of Registry Change Events 4657 and 567

4657: A registry value was modified

On this page

This event documents creation, modification and deletion of registry VALUES.  This event is logged between the open (4656) and close (4658) events for the registry KEY where the value resides.  See Operation Type to find out if the value was created, modified or deleted. Of course this event will only be logged if the key's audit policy is enabled for Set Value permission for the appropriate user or a group in the user is a member.

Free Security Log Resources by Randy

Description Fields in 4657

Subject:

The user and logon session that performed the action.

  • Security ID:  The SID of the account.
  • Account Name: The account logon name.
  • Account Domain: The domain or - in the case of local accounts - computer name.
  • Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

Object:

This is the registry key and value upon whom the action was attempted. 

  • Object Name: The name of the registry key being accessed
  • Object Value Name: The name of the registry value within the key that is being accessed
  • Hanlde ID: is a semi-unique (unique between reboots) number that identifies all subsequent audited events while the object is open.  Handle ID allows you to correlate to other events logged (Open 4656, Access 4663, Close 4658)
  • Operation Type: (see above examples)
  • New registry value created
  • Existing registry value modified
  • Registry value deleted

Process Information:

Process ID is the process ID specified when the executable started as logged in 4688. The Process Name identifies the program executable that accessed the object.  

Change Information:

Old Value Type: 

REG_SZ String value
REG_BINARY Binary value
REG_DWORD Double word 32-bit value
REG_QWORD Quad word 64-bit value
REG_MULTI_SZ Mult-String value
REG_EXPAND_SZ Expandable string value

Old Value:  actual data of the value
New Value Type:  see old
New Value:  see old

Supercharger Enterprise


 

Examples of 4657

New Value Example:

A registry value was modified.

Subject:

   Security ID:  ACME\administrator
   Account Name:  administrator
   Account Domain:  ACME
   Logon ID:  0x176293

Object:
   Object Name:  \REGISTRY\MACHINE\SOFTWARE\MTG
   Object Value Name: Path
   Handle ID:  0x124
   Operation Type:  New registry value created

Process Information:
   Process ID:  0x8d4
   Process Name:  C:\Windows\regedit.exe

Change Information:
   Old Value Type:  -
   Old Value:  -
   New Value Type:  REG_SZ
   New Value: 


Value modified:

A registry value was modified.

Subject:
   Security ID:  ACME\administrator
   Account Name:  administrator
   Account Domain:  ACME
   Logon ID:  0x176293

Object:
   Object Name:  \REGISTRY\MACHINE\SOFTWARE\MTG
   Object Value Name: Path
   Handle ID:  0x124
   Operation Type:  Existing registry value modified

Process Information:
   Process ID:  0x8d4
   Process Name:  C:\Windows\regedit.exe

Change Information:
   Old Value Type:  REG_SZ
   Old Value: 
   New Value Type:  REG_SZ
   New Value:  c:\data


Value deleted:

A registry value was modified.

Subject:
   Security ID:  ACME\administrator
   Account Name:  administrator
   Account Domain:  ACME
   Logon ID:  0x176293

Object:
   Object Name:  \REGISTRY\MACHINE\SOFTWARE\MTG
   Object Value Name: Path
   Handle ID:  0x124
   Operation Type:  Registry value deleted

Process Information:
   Process ID:  0x8d4
   Process Name:  C:\Windows\regedit.exe

Change Information:
   Old Value Type:  REG_SZ
   Old Value:  c:\data
   New Value Type:  -
   New Value:  -

Keep me up-to-date on the Windows Security Log.
Email*:
*We will NOT share this

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Additional Resources