Event Details
User Activity->Permission Changes->Registry Object Permission Changes->Windows 2008->EventID 4670 - Permissions on an object were changed.
EventID 4670 - Permissions on an object were changed.
 Sample: 
Log Name:      Security
Source:           Microsoft-Windows-Security-Auditing
Date:              9/23/2010 4:10:19 PM
Event ID:        4670
Task Category: Authorization Policy Change
Level:              Information
Keywords:      Audit Success
User:              N/A
Computer:      DC1
Description:
Permissions on an object were changed.

Subject:
	Security ID:		RESEARCH\DCC1$
	Account Name:	DCC1$
	Account Domain:	RESEARCH
	Logon ID:		0x6d883

Object:
	Object Server:	Security
	Object Type: 	Key
	Object Name:	\REGISTRY\MACHINE\SOFTWARE\New Key #1
	Handle ID:	0x154

Process:
	Process ID:	0x5f8
	Process Name:	C:\Windows\regedit.exe

Permissions Change:
	Original Security Descriptor:	D:AI(A;CI;RC;;;S-1-5-21-1142721486-4050565067-49909644-1103)(A;ID;KR;;;BU)(A;CIIOID;GR;;;BU)(A;ID;KA;;;BA)(A;CIIOID;GA;;;BA)(A;ID;KA;;;SY)(A;CIIOID;GA;;;SY)(A;CIIOID;GA;;;CO)
	New Security Descriptor:	D:ARAI(A;CI;KR;;;S-1-5-21-1142721486-4050565067-49909644-1103)(A;ID;KR;;;BU)(A;CIIOID;GR;;;BU)(A;ID;KA;;;BA)(A;CIIOID;GA;;;BA)(A;ID;KA;;;SY)(A;CIIOID;GA;;;SY)(A;CIIOID;GA;;;CO)
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows Vista (2008)
Windows 7 (2008 R2)
Windows 8 (2012)
Windows 8.1 (2012 R2)
Windows 10 (2016)
Category Policy Change
Source Microsoft-Windows-Security-Auditing
EventId 4670
InsertionString6 Key
Field Matching
FieldDescriptionStored inSample Value
When At what date and time a user activity originated in the system. DateTime 10.10.2000 19:00:00
Who Account or user name under which the activity occured. Subject: Account Name DCC1$
What The type of activity occurred (e.g. Logon, Password Changed, etc.) "Permission Change" Permission Change
Where The name of the workstation/server where the activity was logged. Computer DC1
Where From The name of the workstation/server where the activity was initiated from. - 10.10.10.10
Severity Specify the seriousness of the event. "High" High
WhoDomain Subject: Account Domain
WhereDomain -
Object Type The type of object whose permissions were changed (e.g. AD object, file, registry, etc.) Object Type Registry Object
Object Name The name of the object whose permissions were changed (e.g. full system path to the file or folder) Object Name
To Whom Account whose access permissions to the object were changed -
Comments
You must be logged in to comment