mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-29 05:37:22 +00:00
39 lines
1.5 KiB
Markdown
39 lines
1.5 KiB
Markdown
---
|
||
title: Audit Handle Manipulation (Windows 10)
|
||
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Handle Manipulation, which determines whether the operating system generates audit events when a handle to an object is opened or closed.
|
||
ms.assetid: 1fbb004a-ccdc-4c80-b3da-a4aa7a9f4091
|
||
ms.prod: W10
|
||
ms.mktglfcycl: deploy
|
||
ms.sitesec: library
|
||
ms.pagetype: security
|
||
author: brianlic-msft
|
||
---
|
||
|
||
# Audit Handle Manipulation
|
||
|
||
**Applies to**
|
||
- Windows 10
|
||
|
||
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Handle Manipulation**, which determines whether the operating system generates audit events when a handle to an object is opened or closed.
|
||
|
||
Only objects with configured system access control lists (SACLs) generate these events, and only if the attempted handle operation matches the SACL.
|
||
|
||
> **Important:** Handle Manipulation events are generated only for object types where the corresponding File System or Registry Object Access subcategory is enabled. For more information, see [Audit File System](audit-file-system.md) or [Audit Registry](audit-registry.md).
|
||
|
||
|
||
Event volume: High, depending on how SACLs are configured
|
||
|
||
Default: Not configured
|
||
|
||
| Event ID | Event message |
|
||
| - | - |
|
||
| 4656 | A handle to an object was requested. |
|
||
| 4658 | The handle to an object was closed. |
|
||
| 4690 | An attempt was made to duplicate a handle to an object. |
|
||
|
||
## Related topics
|
||
|
||
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
|
||
|
||
|