Folder Details
Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->Handle Manipulation
Handle Manipulation
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows Vista (2008)
Windows 7 (2008 R2)
Windows 8 (2012)
Windows 8.1 (2012 R2)
Windows 10 (2016)
Category Object Access
Source Microsoft-Windows-Security-Auditing
TaskCategory Handle Manipulation
Field Matching
FieldDescriptionSample Value
DateTime Date/Time of event origination in GMT format. 10.10.2000 19:00:00
Source Name of an Application or System Service originating the event. Security
Type Warning, Information, Error, Success, Failure, etc. Success
User Domain\Account name of user/service/computer initiating event. RESEARCH\Alebovsky
Computer Name of server workstation where event was logged. DC1
EventID Numerical ID of event. Unique within one Event Source. 576
Description The entire unparsed event message. Special privileges assigned to new logon.
Log Name The name of the event log (e.g. Application, Security, System, etc.) Security
Task Category A name for a subclass of events within the same Event Source.
Level Warning, Information, Error, etc.
Keywords Audit Success, Audit Failure, Classic, Connection etc.
Category A name for an aggergative event class, corresponding to the similar ones present in Windows 2003 version. Account Logon
Object Name
Whom
Object Type
Class Name
Security ID
Account Name
Account Domain
Subject: Security ID Security ID of the account that performed the action. Usually resolved to Domain\Name in home environment.
Subject: Account Name Name of the account that initiated the action.
Subject: Account Domain Name of the domain that account initiating the action belongs to.
Subject: Logon ID A number uniquely identifying the logon session of the user initiating action. This number can be used to correlate all user actions within one logon session.
Source Handle Information: Source Handle ID ID of the handle that being duplicated.
Source Handle Information: Source Process ID ID of the process that owns the original handle.
New Handle Information: Target Handle ID ID of the duplicated handle.
New Handle Information: Target Process ID ID of the process that requested the secondary handle.