Audit Kernel Object

Applies To: Windows 7, Windows Server 2008 R2

This security policy setting allows you to audit attempts to access the system kernel, which include mutexes and semaphores. Only kernel objects with a matching system access control list (SACL) generate security audit events.


The Audit: Audit the access of global system objects policy setting controls the default SACL of kernel objects.

The audits generated are usually only useful to developers.

Typically kernel objects are given SACLs only if the AuditBaseObjects or AuditBaseDirectories auditing options are enabled.

Event volume: High if you have enabled one of the Global Object Access Auditing settings

Default setting: Not configured

If this policy setting is configured, the following events are generated. The events appear on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.

Event ID Event message


A handle to an object was requested with intent to delete.


An object was deleted.


A handle to an object was requested.


An attempt was made to access an object.