Windows Security Log Event ID 4690

4690: An attempt was made to duplicate a handle to an object

On this page

• Description of this event
• Field level details
• Examples

When a program opens an object like a file, it gets a "handle" to that file which it references in subsequent operations on the object.  Windows checks permissions at the time of the open (aka handle request) but not afterwards.  Windows allows you to duplicate a handle and hand it off to another thread or process which then inherits whatever level of access the first program obtained to the object when the program opened.  Therefore a thread impersonating a different user or a process running as a different user could exploit the potentially higher level of access of the first program for that object.  And that apparently is why this event is logged.  Unfortunately this event doesn't seem to provide enough information to determine if the Handle was given to a lower security thread or process.  Consequently I classify this event as noise.

For an explanation of the fields in this event see events 4688 and 4656.

Do you know more about this event?  If so please start a discussion and share!

Free Security Log Resources by Randy

• Free Security Log Quick Reference Chart
• Windows Event Collection: Supercharger Free Edtion
• Free Active Directory Change Auditing Solution
• Free Course: Security Log Secrets

Description Fields in 4690

Subject:

•  Security ID:  %1
•  Account Name:  %2
•  Account Domain:  %3
•  Logon ID:  %4

Source Handle Information:

•  Source Handle ID: %5
•  Source Process ID: %6

New Handle Information:

•  Target Handle ID: %7
•  Target Process ID: %8

Supercharger Free Edition

Your entire Windows Event Collection environment on a single pane of glass.

Free.

 

 

Upcoming Webinars

Additional Resources

•	Event IDs
•	All Event IDs
•	Audit Policy