deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/keep-secure/audit-handle-manipulation.md
Brian Lich fa5ddfcf9d changing from ms.prod: W10 to ms.prod: w10
2016-06-02 15:42:37 -07:00

3.4 KiB
Raw Blame History

title, description, ms.assetid, ms.pagetype, ms.prod, ms.mktglfcycl, ms.sitesec, author
title description ms.assetid ms.pagetype ms.prod ms.mktglfcycl ms.sitesec author
Audit Handle Manipulation (Windows 10) This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Handle Manipulation, which determines whether the operating system generates audit events when a handle to an object is opened or closed. 1fbb004a-ccdc-4c80-b3da-a4aa7a9f4091 security w10 deploy library Mir0sh

Audit Handle Manipulation

Applies to

  • Windows 10
  • Windows Server 2016

Audit Handle Manipulation enables generation of “4658: The handle to an object was closed” in Audit File System, Audit Kernel Object, Audit Registry, Audit Removable Storage and Audit SAM subcategories, and shows objects handle duplication and close actions.

Event volume: High.

Computer Type General Success General Failure Stronger Success Stronger Failure Comments
Domain Controller No No No No Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.
There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Objects Handles level.
Member Server No No No No Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.
There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Objects Handles level.
Workstation No No No No Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.
There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Objects Handles level.

Events List:

  • 4658(S): The handle to an object was closed.

  • 4690(S): An attempt was made to duplicate a handle to an object.

4658(S): The handle to an object was closed.

This event doesnt generate in this subcategory, but you can use this subcategory to enable it. For a description of the event, see “4658(S): The handle to an object was closed” in the Audit File System subcategory.