Audit Handle Manipulation

Applies to

  • Windows 10
  • Windows Server 2016

Audit Handle Manipulation enables generation of “4658: The handle to an object was closed” in Audit File System, Audit Kernel Object, Audit Registry, Audit Removable Storage and Audit SAM subcategories, and shows object’s handle duplication and close actions.

Event volume: High.

Computer Type General Success General Failure Stronger Success Stronger Failure Comments
Domain Controller No No No No Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.
There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Object’s Handles level.
Member Server No No No No Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.
There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Object’s Handles level.
Workstation No No No No Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.
There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Object’s Handles level.

Events List:

  • 4658(S): The handle to an object was closed.

  • 4690(S): An attempt was made to duplicate a handle to an object.

4658(S): The handle to an object was closed.

This event doesn’t generate in this subcategory, but you can use this subcategory to enable it. For a description of the event, see “4658(S): The handle to an object was closed” in the Audit File System subcategory.