次の方法で共有


Audit Handle Manipulation

Audit Handle Manipulation enables generation of “4658: The handle to an object was closed” in Audit File System, Audit Kernel Object, Audit Registry, Audit Removable Storage and Audit SAM subcategories, and shows object’s handle duplication and close actions.

Event volume: High.

Computer Type General Success General Failure Stronger Success Stronger Failure Comments
Domain Controller No No No No Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.
There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Object’s Handles level.
Member Server No No No No Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.
There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Object’s Handles level.
Workstation No No No No Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.
There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Object’s Handles level.

Events List:

  • 4658(S): The handle to an object was closed.

  • 4690(S): An attempt was made to duplicate a handle to an object.

  • 4658(S): The handle to an object was closed. For a description of the event, see 4658(S): The handle to an object was closed. in the Audit File System subcategory. This event doesn’t generate in the Audit Handle Manipulation subcategory, but you can use this subcategory to enable it.