Event Details
User Activity->Object Access->Registry Object Access->Windows 2008->EventID 4656 - A handle to an object was requested - Failed
EventID 4656 - A handle to an object was requested - Failed
 Sample: 
A handle to an object was requested.

Subject:
	Security ID:		NT AUTHORITY\NETWORK SERVICE
	Account Name:		IIZHU1$
	Account Domain:		ITSS
	Logon ID:		0x3e4

Object:
	Object Server:		Security
	Object Type:		Key
	Object Name:		\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\WSMAN\Plugin\WMI Provider
	Handle ID:		0xac8
	Resource Attributes:	-

Process Information:
	Process ID:		0x248
	Process Name:		C:\Windows\System32\svchost.exe

Access Request Information:
	Transaction ID:		{00000000-0000-0000-0000-000000000000}
	Accesses:		READ_CONTROL

				Query key value

				Enumerate sub-keys

				Notify about changes to keys

				
	Access Reasons:		-
	Access Mask:		0x20019
	Privileges Used for Access Check:	-
	Restricted SID Count:	0
===========================
Description template stored in adtschema.dll:
===========================
A handle to an object was requested.

Subject:
	Security ID:		%1
	Account Name:		%2
	Account Domain:		%3
	Logon ID:		%4

Object:
	Object Server:		%5
	Object Type:		%6
	Object Name:		%7
	Handle ID:		%8
	Resource Attributes:	%17

Process Information:
	Process ID:		%15
	Process Name:		%16

Access Request Information:
	Transaction ID:		%9
	Accesses:		%10
	Access Reasons:		%11
	Access Mask:		%12
	Privileges Used for Access Check:	%13
	Restricted SID Count:	%14
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows 7 (2008 R2)
Windows 8 (2012)
Windows 8.1 (2012 R2)
Windows 10 (2016)
Category Object Access
Source Microsoft-Windows-Security-Auditing
TaskCategory Registry
EventId 4656
Type Failure Audit
Field Matching
FieldDescriptionStored inSample Value
When At what date and time a user activity originated in the system. DateTime 10.10.2000 19:00:00
Who Account or user name under which the activity occured. Subject: Account Name IIZHU1$
What The type of activity occurred (e.g. Logon, Password Changed, etc.) "Registry Object Access" Registry Object Access
Where The name of the workstation/server where the activity was logged. Computer DC1
Where From The name of the workstation/server where the activity was initiated from. - 10.10.10.10
Severity Specify the seriousness of the event. "High" High
WhoDomain Subject: Account Domain ITSS
WhereDomain -
Result Successful or Failed "Failed" Failed
Object Name Object Name \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\WSMAN\Plugin\WMI Provider
Object Type Object Type Key
Whom InsertionString7 \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\Windows\CurrentVersion\WSMAN\Plugin\WMI Provider
Comments
You must be logged in to comment