deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 13:57:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/keep-secure/audit-handle-manipulation.md
Brian Lich fa5ddfcf9d changing from ms.prod: W10 to ms.prod: w10
2016-06-02 15:42:37 -07:00

39 lines
3.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: Audit Handle Manipulation (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Handle Manipulation, which determines whether the operating system generates audit events when a handle to an object is opened or closed.
ms.assetid: 1fbb004a-ccdc-4c80-b3da-a4aa7a9f4091
ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# Audit Handle Manipulation
**Applies to**
- Windows 10
- Windows Server 2016
Audit Handle Manipulation enables generation of “4658: The handle to an object was closed” in [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), [Audit Removable Storage](audit-removable-storage.md) and [Audit SAM](audit-sam.md) subcategories, and shows objects handle duplication and close actions.
**Event volume**: High.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | No | No | No | No | Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.<br>There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Objects Handles level. |
| Member Server | No | No | No | No | Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.<br>There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Objects Handles level. |
| Workstation | No | No | No | No | Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.<br>There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Objects Handles level. |
**Events List:**
- [4658](event-4658.md)(S): The handle to an object was closed.
- [4690](event-4690.md)(S): An attempt was made to duplicate a handle to an object.
## 4658(S): The handle to an object was closed.
This event doesnt generate in this subcategory, but you can use this subcategory to enable it. For a description of the event, see “[4658](event-4658.md)(S): The handle to an object was closed” in the Audit File System subcategory.
Reference in New Issue View Git Blame Copy Permalink