Event Details
Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->SAM->EventID 4656 - A handle to an object was requested. [2008]
EventID 4656 - A handle to an object was requested. [2008]

It is generated by corresponding resource manager in multiple subcategories:
  • File System
  • Kernel Object
  • Registry
  • SAM
  • Other Object Access Events
Event 4656 might occur if the failure audit was enabled for Handle Manipulation using auditpol.

Find more information about this event on ultimatewindowssecurity.com.

Corresponding events on other OS versions:

Windows 2000
Windows 2003 Windows 2008
    Log Name:      Security
    Source:           Microsoft-Windows-Security-Auditing
    Date:              11/18/2011 9:22:28 PM
    Event ID:        4656
    Task Category: SAM
    Level:              Information
    Keywords:      Audit Success
    User:              N/A
    Computer:      dcc1.logistics.corp
    A handle to an object was requested.
    	Security ID:		SYSTEM
    	Account Name:	DCC1$
    	Account Domain:	LOGISTICS
    	Logon ID:		0x3e7
    	Object Server:	Security Account Manager
    	Object Type:		SAM_SERVER
    	Object Name:	SAM
    	Handle ID:		0x350168
    Process Information:
    	Process ID:		0x26c
    	Process Name:	C:\Windows\System32\lsass.exe
    Access Request Information:
    	Transaction ID:	{00000000-0000-0000-0000-000000000000}
    	Accesses:		DELETE
    	Access Mask:	0xf003f
    	Privileges Used for Access Check:	-
    	Restricted SID Count:	0
    Description template stored in adtschema.dll:
    A handle to an object was requested.
    	Security ID:		%1
    	Account Name:		%2
    	Account Domain:		%3
    	Logon ID:		%4
    	Object Server:		%5
    	Object Type:		%6
    	Object Name:		%7
    	Handle ID:		%8
    Process Information:
    	Process ID:		%14
    	Process Name:		%15
    Access Request Information:
    	Transaction ID:		%9
    	Accesses:		%10
    	Access Mask:		%11
    	Privileges Used for Access Check:	%12
    	Restricted SID Count:	%13
    Log Type: Windows Event Log
     Uniquely Identified By:
    Log Name: Security
    Filtering Field Equals to Value
    OSVersion Windows Vista (2008)
    Category Object Access
    Source Microsoft-Windows-Security-Auditing
    TaskCategory SAM
    EventId 4656
    Field Matching
    FieldDescriptionStored inSample Value
    DateTime Date/Time of event origination in GMT format. DateTime 10.10.2000 19:00:00
    Source Name of an Application or System Service originating the event. Source Security
    Type Warning, Information, Error, Success, Failure, etc. Type Success
    User Domain\Account name of user/service/computer initiating event. User RESEARCH\Alebovsky
    Computer Name of server workstation where event was logged. Computer DC1
    EventID Numerical ID of event. Unique within one Event Source. EventId 576
    Description The entire unparsed event message. Description Special privileges assigned to new logon.
    Log Name The name of the event log (e.g. Application, Security, System, etc.) LogName Security
    Task Category A name for a subclass of events within the same Event Source. TaskCategory
    Level Warning, Information, Error, etc. Level
    Keywords Audit Success, Audit Failure, Classic, Connection etc. Keywords
    Category A name for an aggergative event class, corresponding to the similar ones present in Windows 2003 version. Category Account Logon
    Object Name InsertionString7
    Whom InsertionString7
    Object Type InsertionString6
    Class Name InsertionString6
    Security ID InsertionString1
    Account Name InsertionString2
    Account Domain InsertionString3
    Subject: Security ID Security ID of the account that performed the action. Usually resolved to Domain\Name in home environment. InsertionString1 SYSTEM
    Subject: Account Name Name of the account that initiated the action. InsertionString2 DCC1$
    Subject: Account Domain Name of the domain that account initiating the action belongs to. InsertionString3 LOGISTICS
    Subject: Logon ID A number uniquely identifying the logon session of the user initiating action. This number can be used to correlate all user actions within one logon session. InsertionString4 0x3e7
    Object: Object Server The name of the system component handling the access request. InsertionString5 Security Account Manager
    Object: Object Type SAM_USER or SAM_DOMAIN InsertionString6 SAM_SERVER
    Object: Object Name Distinguished name of the AD object (or it's SAM replica) InsertionString7 SAM
    Object: Handle ID ID of the object handle granted to the process accessing it. InsertionString8 0x350168
    Process Information: Process ID ID of the process accessing the object. InsertionString14 0x26c
    Process Information: Process Name Filename of the process executable. InsertionString15 C:\Windows\System32\lsass.exe
    Access Request Information: Transaction ID InsertionString9 {00000000-0000-0000-0000-000000000000}
    Access Request Information: Accesses InsertionString10 DELETE
    Access Request Information: Access Mask InsertionString11 0xf003f
    Access Request Information: Privileges Used for Access Check InsertionString12 -
    Access Request Information: Restricted SID Count InsertionString13 0
    Process Name InsertionString15
    You must be logged in to comment