Windows Security Log Event ID 4690

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
 • Subcategory
Object Access
 • Handle Manipulation
Type Success
Corresponding events
in Windows 2003
and before

4690: An attempt was made to duplicate a handle to an object

On this page

When a program opens an object like a file, it gets a "handle" to that file which it references in subsequent operations on the object.  Windows checks permissions at the time of the open (aka handle request) but not afterwards.  Windows allows you to duplicate a handle and hand it off to another thread or process which then inherits whatever level of access the first program obtained to the object when the program opened.  Therefore a thread impersonating a different user or a process running as a different user could exploit the potentially higher level of access of the first program for that object.  And that apparently is why this event is logged.  Unfortunately this event doesn't seem to provide enough information to determine if the Handle was given to a lower security thread or process.  Consequently I classify this event as noise.

For an explanation of the fields in this event see events 4688 and 4656.

Do you know more about this event?  If so please start a discussion and share!

Free Security Log Resources by Randy

Description Fields in 4690


  •  Security ID:  %1
  •  Account Name:  %2
  •  Account Domain:  %3
  •  Logon ID:  %4

Source Handle Information:

  •  Source Handle ID: %5
  •  Source Process ID: %6

New Handle Information:

  •  Target Handle ID: %7
  •  Target Process ID: %8

Supercharger Free Edition

Your entire Windows Event Collection environment on a single pane of glass.



Examples of 4690

An attempt was made to duplicate a handle to an object.


   Security ID:  ACME\Administrator
   Account Name:  Administrator
   Account Domain:  ACME
   Logon ID:  0x1f41e

Source Handle Information:

   Source Handle ID: 0x858
   Source Process ID: 0x1ac

New Handle Information:

   Target Handle ID: 0x4c
   Target Process ID: 0x1ac

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection


Additional Resources