Event Details
Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->SAM->EventID 4661 - A handle to an object was requested. [2012 and lower]
EventID 4661 - A handle to an object was requested. [2012 and lower]
Find more information about this event on ultimatewindowssecurity.com.

Corresponding events on other OS versions:

Windows 2000
Windows 2003
 Sample: 
A handle to an object was requested.

Subject :
	Security ID:		ITSS\operations.manager
	Account Name:		operations.manager
	Account Domain:		ITSS
	Logon ID:		0x2962D681

Object:
	Object Server:	Security Account Manager
	Object Type:	SAM_DOMAIN
	Object Name:	DC=itss,DC=wm,DC=zhu,DC=cn,DC=qsft
	Handle ID:	0x1f085009da0

Process Information:
	Process ID:	0x284
	Process Name:	C:\Windows\System32\lsass.exe

Access Request Information:
	Transaction ID:	{00000000-0000-0000-0000-000000000000}
	Accesses:	DELETE
				READ_CONTROL
				WRITE_DAC
				WRITE_OWNER
				ReadPasswordParameters
				ReadOtherParameters
				WriteOtherParameters
				CreateUser
				CreateGlobalGroup
				GetLocalGroupMembership
				ListAccounts
				
	Access Mask:	0xF01BD
	Privileges Used for Access Check:	-
	Properties:	---
	{19195a5a-6da0-11d0-afd3-00c04fd930c9}
DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
ReadPasswordParameters
ReadOtherParameters
WriteOtherParameters
CreateUser
CreateGlobalGroup
GetLocalGroupMembership
ListAccounts
		{c7407360-20bf-11d0-a768-00aa006e0529}
			{bf9679a4-0de6-11d0-a285-00aa003049e2}
			{bf9679a5-0de6-11d0-a285-00aa003049e2}
			{bf9679a6-0de6-11d0-a285-00aa003049e2}
			{bf9679bb-0de6-11d0-a285-00aa003049e2}
			{bf9679c2-0de6-11d0-a285-00aa003049e2}
			{bf9679c3-0de6-11d0-a285-00aa003049e2}
			{bf967a09-0de6-11d0-a285-00aa003049e2}
			{bf967a0b-0de6-11d0-a285-00aa003049e2}
		{b8119fd0-04f6-4762-ab7a-4986c76b3f9a}
			{bf967a34-0de6-11d0-a285-00aa003049e2}
			{bf967a33-0de6-11d0-a285-00aa003049e2}
			{bf9679c5-0de6-11d0-a285-00aa003049e2}
			{bf967a61-0de6-11d0-a285-00aa003049e2}
			{bf967977-0de6-11d0-a285-00aa003049e2}
			{bf96795e-0de6-11d0-a285-00aa003049e2}
			{bf9679ea-0de6-11d0-a285-00aa003049e2}
		{ab721a52-1e2f-11d0-9819-00aa0040529b}

	Restricted SID Count:	0
===========================
Description template stored in adtschema.dll:
===========================
A handle to an object was requested.

Subject :
	Security ID:		%1
	Account Name:		%2
	Account Domain:		%3
	Logon ID:		%4

Object:
	Object Server:	%5
	Object Type:	%6
	Object Name:	%7
	Handle ID:	%8

Process Information:
	Process ID:	%15
	Process Name:	%16

Access Request Information:
	Transaction ID:	%9
	Accesses:	%10
	Access Mask:	%11
	Privileges Used for Access Check:	%12
	Properties:	%13
	Restricted SID Count:	%14
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows Vista (2008)
Windows 7 (2008 R2)
Windows 8 (2012)
Category Object Access
Source Microsoft-Windows-Security-Auditing
TaskCategory SAM
EventId 4661
Field Matching
FieldDescriptionStored inSample Value
DateTime Date/Time of event origination in GMT format. DateTime 10.10.2000 19:00:00
Source Name of an Application or System Service originating the event. Source Security
Type Warning, Information, Error, Success, Failure, etc. Type Success
User Domain\Account name of user/service/computer initiating event. User RESEARCH\Alebovsky
Computer Name of server workstation where event was logged. Computer DC1
EventID Numerical ID of event. Unique within one Event Source. EventId 576
Description The entire unparsed event message. Description Special privileges assigned to new logon.
Log Name The name of the event log (e.g. Application, Security, System, etc.) LogName Security
Task Category A name for a subclass of events within the same Event Source. TaskCategory
Level Warning, Information, Error, etc. Level
Keywords Audit Success, Audit Failure, Classic, Connection etc. Keywords
Category A name for an aggergative event class, corresponding to the similar ones present in Windows 2003 version. Category Account Logon
Object Name InsertionString7
Whom InsertionString7
Object Type InsertionString6
Class Name InsertionString6
Security ID InsertionString1
Account Name InsertionString2
Account Domain InsertionString3
Subject: Security ID Security ID of the account that performed the action. Usually resolved to Domain\Name in home environment. InsertionString1 ITSS\operations.manager
Subject: Account Name Name of the account that initiated the action. InsertionString2 operations.manager
Subject: Account Domain Name of the domain that account initiating the action belongs to. InsertionString3 ITSS
Subject: Logon ID A number uniquely identifying the logon session of the user initiating action. This number can be used to correlate all user actions within one logon session. InsertionString4 0x2962D681
Object: Object Server The name of the system component handling the access request. InsertionString5 Security Account Manager
Object: Object Type SAM_USER or SAM_DOMAIN InsertionString6 SAM_DOMAIN
Object: Object Name Distinguished name of the AD object (or it's SAM replica) InsertionString7 DC=itss,DC=wm,DC=zhu,DC=cn,DC=qsft
Object: Handle ID ID of the object handle granted to the process accessing it. InsertionString8 0x1f085009da0
Process Information: Process ID ID of the process accessing the object. InsertionString15 0x284
Process Information: Process Name Filename of the process executable. InsertionString16 C:\Windows\System32\lsass.exe
Access Request Information: Transaction ID InsertionString9 {00000000-0000-0000-0000-000000000000}
Access Request Information: Accesses InsertionString10 DELETE
Access Request Information: Access Mask InsertionString11 0xF01BD
Access Request Information: Privileges Used for Access Check InsertionString12 -
Access Request Information: Restricted SID Count InsertionString14 0
Access Request Information: Properties InsertionString13 ---
Process Name InsertionString16
Accesses InsertionString10
Access Mask InsertionString11
Property InsertionString13
Comments
You must be logged in to comment