Thursday, January 9, 2020

Event ID 4658 - The handle to an object was closed

Event ID 4658 - The handle to an object was closed

Operating System:
  • Windows 2008 R2 and 7
  • Windows 2012 R2 and 8.1
  • Windows 2016 and 10
Log Sample:
{
 "EventTime": "2017/11/17 04:04:12"
 "Hostname": "TEST.logpoint.com"
 "Keywords": -9214364837600034816
 "EventType": "AUDIT_SUCCESS"
 "SeverityValue": 2
 "Severity": "INFO"
 "EventID": 4658
 "SourceName": "Microsoft-Windows-Security-Auditing"
 "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}"
 "Version": 0
 "Task": 12800
 "OpcodeValue": 0
 "RecordNumber": 424365141
 "ProcessID": 4
 "ThreadID": 88
 "Channel": "Security"
 "Message": "The handle to an object was closed."
 "Category": "File System"
 "Opcode": "Info"
 "SubjectUserSid": "S-1-5-18"
 "SubjectUserName": "RIM-TEST"
 "SubjectDomainName": "INTRANET"
 "SubjectLogonId": "0x3e7"
 "ObjectServer": "Security"
 "HandleId": "0x510"
 "ProcessName": "C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe"
 "EventReceivedTime": "2017/11/17 04:04:12"
 "SourceModuleName": "wineventlog_in"
 "SourceModuleType": "im_msvistalog"
}

This event is logged when an auditing is enabled on an object. Here object can be anything from File, Folder, Key, Service Object, SAM etc.

This event is logged when an object is closed after it was opened. 4658 event determines how long the object was open.

Subject User Information:
"SubjectUserSid" -> SID of an account
"SubjectUserName" -> user who logged in
"SubjectDomainName" -> domain name or computer name
"SubjectLogonId" -> This is an semi-unique id, can be correlated back to event id 4624, identifying logon session. Semi-unique in a sense that this is change in each reboot.

Object
  "HandleId" -> This is again a semi-unique id that identifies all subsequent audited events while the object is open.  This id is used to correlate to other object access events (Open 4656, Access 4663, Close 4658)
Process
 "ProcessName" -> Identifies executable program that accessed an object
 "ProcessID" -> ID specified when the executable started as logged in 4688
at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)