Audit Kernel Object

Applies to

  • Windows 10
  • Windows Server 2016

Audit Kernel Object determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores.

Only kernel objects with a matching system access control list (SACL) generate security audit events. The audits generated are usually useful only to developers.

Typically, kernel objects are given SACLs only if the AuditBaseObjects or AuditBaseDirectories auditing options are enabled.

The “Audit: Audit the access of global system objects” policy setting controls the default SACL of kernel objects.

Event volume: High.

Computer Type General Success General Failure Stronger Success Stronger Failure Comments
Domain Controller No No No No Typically Kernel object auditing events have little to no security relevance and are hard to parse or analyze. Also, the volume of these events is typically very high.
There is no recommendation to enable this subcategory, unless you know exactly what you need to monitor at the Kernel objects level.
Member Server No No No No Typically Kernel object auditing events have little to no security relevance and are hard to parse or analyze. Also, the volume of these events is typically very high.
There is no recommendation to enable this subcategory, unless you know exactly what you need to monitor at the Kernel objects level.
Workstation No No No No Typically Kernel object auditing events have little to no security relevance and are hard to parse or analyze. Also, the volume of these events is typically very high.
There is no recommendation to enable this subcategory, unless you know exactly what you need to monitor at the Kernel objects level.

Events List:

  • 4656(S, F): A handle to an object was requested.

  • 4658(S): The handle to an object was closed.

  • 4660(S): An object was deleted.

  • 4663(S): An attempt was made to access an object.