Windows Security Log Event ID 4907

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Category
 • Subcategory
Policy Change
 • Audit Policy Change
Type Success
Corresponding events
in Windows 2003
and before
 
Discussions on Event ID 4907
Ask a question about this event

4907: Auditing settings on object were changed

On this page

When you change the audit SACL of an object, such as a file or folder, Windows logs this event.  In the example below, Administrator configured a new audit policy on C:\Users\Administrator\testfolder.

Free Security Log Resources by Randy

Description Fields in 4907

Subject:

The user and logon session that performed the action.

  • Security ID:  The SID of the account.
  • Account Name: The account logon name.
  • Account Domain: The domain or - in the case of local accounts - computer name.
  • Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

Object:

This is the object whose audit policy was changed.

  • Object Server: always "Security"
  • Object Type: "File" for file or folder but can be other types of objects such as Key, SAM, SERVICE OBJECT, etc.
  • Object Name: The name of the object being accessed
  • Handle ID: is a semi-unique (unique between reboots) number that identifies all subsequent audited events while the object is open. Handle ID allows you to correlate to other events logged (Open 4656, Access 4663, Close 4658)

Process Information:

  • Process ID: The process ID specified when the executable started as logged in 4688.
  • Process Name: Identifies the program executable that accessed the object.

Auditing Settings:

  • Original Security Descriptor: blank if no audit policy configured. Otherwise the old audit policy (SACL) of the object in SDDL format (Security Descriptor Definition Language). See http://msdn2.microsoft.com/en-us/library/aa379567.aspx
  • New Security Descriptor: The new audit policy (SACL) of the object in SDDL format (Security Descriptor Definition Language)

Supercharger Free Edition

 

Supercharger's built-in Xpath filters leave the noise behind.

Free.

 

Examples of 4907

Auditing settings on object were changed.

Subject:

   Security ID:  WIN-R9H529RIO4Y\Administrator
   Account Name:  Administrator
   Account Domain:  WIN-R9H529RIO4Y
   Logon ID:  0x1fd23

Object:

   Object Server: Security
   Object Type: File
   Object Name: C:\Users\Administrator\testfolder
   Handle ID: 0x1d0

Process Information:

   Process ID: 0x8c0
   Process Name: C:\Windows\explorer.exe

Auditing Settings:
  
   Original Security Descriptor:
   New Security Descriptor:  S:ARAI (AU;OIIOSAFA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

Keep me up-to-date on the Windows Security Log.
Email*:
*We will NOT share this

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Additional Resources