Windows Security Log Event ID 4661

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
Category
 • Subcategory
Object Access
 • Kernel Object
 • SAM
Directory Service
 • Directory Service Access
Type Success
Corresponding events
in Windows 2003
and before
565  

4661: A handle to an object was requested

On this page

This event is logged by multiple subcategories as indicated above.

Most objects, when opened (handle request), generate event 4656 but when you open a SAM object you get 4661 instead.

Some AD objects also double as SAM objects and some properties of those objects double as SAM attributes.  This event is logged when opening such SAM objects such as SAM_DOMAIN or SAM_USER.

When the object is closed you get event ID 4658 with the same handle ID.

I regard these events as noise and recommend disabling the SAM subcategory in your audit policy.

Free Security Log Resources by Randy

Description Fields in 4661

Subject :

  •  Security ID:  %1
  •  Account Name:  %2
  •  Account Domain:  %3
  •  Logon ID:  %4

Object:

  •  Object Server: %5
  •  Object Type: %6
  •  Object Name: %7
  •  Handle ID: %8

Process Information:

  •  Process ID: %15
  •  Process Name: %16

Access Request Information:

  •  Transaction ID: %9
  •  Accesses: %10
  •  Access Mask: %11
  •  Privileges Used for Access Check: %12
  •  Properties: %13
  •  Restricted SID Count: %14

Supercharger Enterprise


Load Balancing for Windows Event Collection

 

Examples of 4661

SAM example

A handle to an object was requested.

Subject :
      Security ID:  ACME-FR\administrator
   Account Name:  administrator
   Account Domain:  ACME-FR
   Logon ID:  0x20f9d

Object:
      Object Server: Security Account Manager
   Object Type: SAM_USER
   Object Name: S-1-5-21-1162742508-374458840-2482843958-500
   Handle ID: 0x299db40

Process Information:
      Process ID: 0x234
   Process Name: C:\Windows\System32\lsass.exe

Access Request Information:
      Transaction ID: {00000000-0000-0000-0000-000000000000}
   Accesses: DELETE
     READ_CONTROL
     WRITE_DAC
     WRITE_OWNER
     ReadGeneralInformation
     ReadPreferences
     WritePreferences
     ReadLogon
     ReadAccount
     WriteAccount
     SetPassword (without knowledge of old password)
     ListGroups

      Access Mask: 0xf01bf
   Privileges Used for Access Check: -
   Properties: ===={bf967aba-0de6-11d0-a285-00aa003049e2}
     DELETE
     READ_CONTROL
     WRITE_DAC
     WRITE_OWNER
     ReadGeneralInformation
     ReadPreferences
     WritePreferences
     ReadLogon
     ReadAccount
     WriteAccount
     SetPassword (without knowledge of old password)
   ListGroups
   {59ba2f42-79a2-11d0-9020-00c04fc2d3cf}
   {bf967938-0de6-11d0-a285-00aa003049e2}
   {5fd42471-1262-11d0-a060-00aa006c33ed}
   {bf9679e8-0de6-11d0-a285-00aa003049e2}
   {bf967a00-0de6-11d0-a285-00aa003049e2}
   {3e0abfd0-126a-11d0-a060-00aa006c33ed}
   {bf967a6a-0de6-11d0-a285-00aa003049e2}
   {bf967953-0de6-11d0-a285-00aa003049e2}
   {4c164200-20c0-11d0-a768-00aa006e0529}
   {bf967915-0de6-11d0-a285-00aa003049e2}
   {bf967a0a-0de6-11d0-a285-00aa003049e2}
   {bf967a68-0de6-11d0-a285-00aa003049e2}
   {bf967a6d-0de6-11d0-a285-00aa003049e2}
   {5f202010-79a5-11d0-9020-00c04fc2d4cf}
   {bf96792e-0de6-11d0-a285-00aa003049e2}
   {bf967985-0de6-11d0-a285-00aa003049e2}
   {bf967986-0de6-11d0-a285-00aa003049e2}
   {bf967996-0de6-11d0-a285-00aa003049e2}
   {bf967997-0de6-11d0-a285-00aa003049e2}
   {bf9679aa-0de6-11d0-a285-00aa003049e2}
   {bf9679ab-0de6-11d0-a285-00aa003049e2}
   {bf9679ac-0de6-11d0-a285-00aa003049e2}
   {bf967a05-0de6-11d0-a285-00aa003049e2}
   {bf9679a8-0de6-11d0-a285-00aa003049e2}
   {e48d0154-bcf8-11d1-8702-00c04fb96050}
   {bf967950-0de6-11d0-a285-00aa003049e2}
   {bc0ac240-79a9-11d0-9020-00c04fc2d4cf}
   {bf967991-0de6-11d0-a285-00aa003049e2}
   {ab721a53-1e2f-11d0-9819-00aa0040529b}
   {00299570-246d-11d0-a768-00aa006e0529}
   {7ed84960-ad10-11d0-8a92-00aa006e0529}

      Restricted SID Count: 0


Active Directory example:

A handle to an object was requested.

Subject :
      Security ID: ACME-FR\administrator
   Account Name: administrator
   Account Domain: ACME-FR
   Logon ID: 0x20f9d

Object:
      Object Server: Security Account Manager
   Object Type: SAM_DOMAIN
   Object Name: DC=acme-fr,DC=local
   Handle ID: 0x12edf0

Process Information:
      Process ID: 0x234
   Process Name: C:\Windows\System32\lsass.exe

Access Request Information:
      Transaction ID: {00000000-0000-0000-0000-000000000000}
   Accesses: ListAccounts
   Access Mask: 0x100
   Privileges Used for Access Check: -
   Properties: ---{bf967a90-0de6-11d0-a285-00aa003049e2}
   ListAccounts {280f369c-67c7-438e-ae98-1d46f3c6f541
  
Restricted SID Count: 0

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

 

Upcoming Webinars
    Additional Resources

      Go To Event ID:

      Security Log
      Quick Reference
      Chart
      Download now!