Event Details
Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Detailed Tracking->EventID 594 - A handle to an object has been duplicated
EventID 594 - A handle to an object has been duplicated
Indicates that a handle has been duplicated for the same or less access than previously granted.

Note:
This audit event is only generated if the handle being duplicated caused an audit event record to be displayed when created. If the duplication is for more access than the source handle has been granted, the duplication is treated as an object open and an Object Open audit record is generated instead of a Duplicate Handle audit record. If the source handle is closed, a separate Handle Closed audit record is generated. Windows 2000 does not support duplication of protected server objects. Handle Duplication audit records always refer to kernel objects.

Find more information about this event on ultimatewindowssecurity.com.

Corresponding events on other OS versions:


Windows 2008
 Sample:
        Event Type:	Success Audit
        Event Source:	Security
        Event Category:	Detailed Tracking
        Event ID:	594
        Date:		1/30/2009
        Time:		6:55:28 PM
        User:		NT AUTHORITY\SYSTEM
        Computer:	DC1
        Description:
        A handle to an object has been duplicated:
        Source Handle ID:	964
        Source Process ID:	1820
        Target Handle ID:	968
        Target Process ID:	1820
      
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows 2000
Windows XP
Windows 2003
Category Detailed Tracking
Source Security
EventId 594
Field Matching
FieldDescriptionStored inSample Value
DateTime Date/Time of event origination in GMT format. DateTime 10.10.2000 19:00:00
Source Name of an Application or System Service originating the event. Source Security
Type Warning, Information, Error, Success, Failure, etc. Type Success
User Domain\Account name of user/service/computer initiating event. User RESEARCH\Alebovsky
Computer Name of server workstation where event was logged. Computer DC1
EventID Numerical ID of event. Unique within one Event Source. EventId 576
Description The entire unparsed event message. Description Special privileges assigned to new logon.
Log Name The name of the event log (e.g. Application, Security, System, etc.) LogName Security
Category A name for a subclass of events within the same Event Source. Category Logon/Logoff
Source Handle ID ID of the handle being duplicated InsertionString1 964
Source Process ID ID of the process owning the source handle InsertionString2 1820
Target Handle ID ID of the duplicated handle InsertionString3 968
Target Process ID ID of the process owning the duplicated handle. If differs from the Source Process ID than the handle was passed on to a child process. InsertionString4 1820
Comments
You must be logged in to comment