Windows Security Log Event ID 4661
4661: A handle to an object was requested
On this page
This event is logged by multiple subcategories as indicated above.
Most objects, when opened (handle request), generate event 4656 but when you open a SAM object you get 4661 instead.
Some AD objects also double as SAM objects and some properties of those objects double as SAM attributes. This event is logged when opening such SAM objects such as SAM_DOMAIN or SAM_USER.
When the object is closed you get event ID 4658 with the same handle ID.
I regard these events as noise and recommend disabling the SAM subcategory in your audit policy.
Free Security Log Resources by Randy
Subject :
- Security ID: %1
- Account Name: %2
- Account Domain: %3
- Logon ID: %4
Object:
- Object Server: %5
- Object Type: %6
- Object Name: %7
- Handle ID: %8
Process Information:
- Process ID: %15
- Process Name: %16
Access Request Information:
- Transaction ID: %9
- Accesses: %10
- Access Mask: %11
- Privileges Used for Access Check: %12
- Properties: %13
- Restricted SID Count: %14
Setup PowerShell Audit Log Forwarding in 4 Minutes
SAM example
A handle to an object was requested.
Subject :
Security ID: ACME-FR\administrator
Account Name: administrator
Account Domain: ACME-FR
Logon ID: 0x20f9d
Object:
Object Server: Security Account Manager
Object Type: SAM_USER
Object Name: S-1-5-21-1162742508-374458840-2482843958-500
Handle ID: 0x299db40
Process Information:
Process ID: 0x234
Process Name: C:\Windows\System32\lsass.exe
Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
ReadGeneralInformation
ReadPreferences
WritePreferences
ReadLogon
ReadAccount
WriteAccount
SetPassword (without knowledge of old password)
ListGroups
Access Mask: 0xf01bf
Privileges Used for Access Check: -
Properties: ===={bf967aba-0de6-11d0-a285-00aa003049e2}
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
ReadGeneralInformation
ReadPreferences
WritePreferences
ReadLogon
ReadAccount
WriteAccount
SetPassword (without knowledge of old password)
ListGroups
{59ba2f42-79a2-11d0-9020-00c04fc2d3cf}
{bf967938-0de6-11d0-a285-00aa003049e2}
{5fd42471-1262-11d0-a060-00aa006c33ed}
{bf9679e8-0de6-11d0-a285-00aa003049e2}
{bf967a00-0de6-11d0-a285-00aa003049e2}
{3e0abfd0-126a-11d0-a060-00aa006c33ed}
{bf967a6a-0de6-11d0-a285-00aa003049e2}
{bf967953-0de6-11d0-a285-00aa003049e2}
{4c164200-20c0-11d0-a768-00aa006e0529}
{bf967915-0de6-11d0-a285-00aa003049e2}
{bf967a0a-0de6-11d0-a285-00aa003049e2}
{bf967a68-0de6-11d0-a285-00aa003049e2}
{bf967a6d-0de6-11d0-a285-00aa003049e2}
{5f202010-79a5-11d0-9020-00c04fc2d4cf}
{bf96792e-0de6-11d0-a285-00aa003049e2}
{bf967985-0de6-11d0-a285-00aa003049e2}
{bf967986-0de6-11d0-a285-00aa003049e2}
{bf967996-0de6-11d0-a285-00aa003049e2}
{bf967997-0de6-11d0-a285-00aa003049e2}
{bf9679aa-0de6-11d0-a285-00aa003049e2}
{bf9679ab-0de6-11d0-a285-00aa003049e2}
{bf9679ac-0de6-11d0-a285-00aa003049e2}
{bf967a05-0de6-11d0-a285-00aa003049e2}
{bf9679a8-0de6-11d0-a285-00aa003049e2}
{e48d0154-bcf8-11d1-8702-00c04fb96050}
{bf967950-0de6-11d0-a285-00aa003049e2}
{bc0ac240-79a9-11d0-9020-00c04fc2d4cf}
{bf967991-0de6-11d0-a285-00aa003049e2}
{ab721a53-1e2f-11d0-9819-00aa0040529b}
{00299570-246d-11d0-a768-00aa006e0529}
{7ed84960-ad10-11d0-8a92-00aa006e0529}
Restricted SID Count: 0
Active Directory example:
A handle to an object was requested.
Subject :
Security ID: ACME-FR\administrator
Account Name: administrator
Account Domain: ACME-FR
Logon ID: 0x20f9d
Object:
Object Server: Security Account Manager
Object Type: SAM_DOMAIN
Object Name: DC=acme-fr,DC=local
Handle ID: 0x12edf0
Process Information:
Process ID: 0x234
Process Name: C:\Windows\System32\lsass.exe
Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: ListAccounts
Access Mask: 0x100
Privileges Used for Access Check: -
Properties: ---{bf967a90-0de6-11d0-a285-00aa003049e2}
ListAccounts {280f369c-67c7-438e-ae98-1d46f3c6f541
Restricted SID Count: 0
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection