Windows Security Log Event ID 4690

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Category
 • Subcategory
Object Access
 • Handle Manipulation
Type Success
Corresponding events
in Windows 2003
and before
594  
Discussions on Event ID 4690
Ask a question about this event

4690: An attempt was made to duplicate a handle to an object

On this page

When a program opens an object like a file, it gets a "handle" to that file which it references in subsequent operations on the object.  Windows checks permissions at the time of the open (aka handle request) but not afterwards.  Windows allows you to duplicate a handle and hand it off to another thread or process which then inherits whatever level of access the first program obtained to the object when the program opened.  Therefore a thread impersonating a different user or a process running as a different user could exploit the potentially higher level of access of the first program for that object.  And that apparently is why this event is logged.  Unfortunately this event doesn't seem to provide enough information to determine if the Handle was given to a lower security thread or process.  Consequently I classify this event as noise.

For an explanation of the fields in this event see events 4688 and 4656.

Do you know more about this event?  If so please start a discussion and share!

Free Security Log Resources by Randy

Description Fields in 4690

Subject:

  •  Security ID:  %1
  •  Account Name:  %2
  •  Account Domain:  %3
  •  Logon ID:  %4

Source Handle Information:

  •  Source Handle ID: %5
  •  Source Process ID: %6

New Handle Information:

  •  Target Handle ID: %7
  •  Target Process ID: %8

Supercharger Free Edition

 

Examples of 4690

An attempt was made to duplicate a handle to an object.

Subject:

   Security ID:  ACME\Administrator
   Account Name:  Administrator
   Account Domain:  ACME
   Logon ID:  0x1f41e

Source Handle Information:

 
   Source Handle ID: 0x858
   Source Process ID: 0x1ac

New Handle Information:

   Target Handle ID: 0x4c
   Target Process ID: 0x1ac

Keep me up-to-date on the Windows Security Log.
Email*:
*We will NOT share this

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Additional Resources