Windows Security Log Event ID 4658

Operating Systems	Windows 2008 R2 and 7 Windows 2012 R2 and 8.1 Windows 2016 and 10 Windows Server 2019 and 2022
Category • Subcategory	Object Access • File System • Registry • Kernel Object • SAM • Handle Manipulation • Other Object Access Events
Type	Success
Corresponding events in Windows 2003 and before	562

4658: The handle to an object was closed

On this page

Description of this event
Field level details
Examples

This event is logged by multiple subcategories as indicated above.

(it appears that two subcategories must be enabled, Handle Manipulation and one other such as File System or Registry depending on what type of object you are auditing.)

After successfully opening an object, a program eventually closes it which is documented by this event. 4658 helps you determine how long the object was open. For this event to be useful you must link it back to the earlier event ID 4656 with the same handle ID.

Free Security Log Resources by Randy

Description Fields in 4658

Subject:

The user and logon session that opened and now closed the object.

Security ID: The SID of the account.
Account Name: The account logon name.
Account Domain: The domain or - in the case of local accounts - computer name.
Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

Object:

This is the object upon whom the action was attempted.

Object Server: always "Security"
Handle ID: is a semi-unique (unique between reboots) number that identifies all subsequent audited events while the object is open. Handle ID allows you to correlate to other events logged (Open 4656, Access 4663, Close 4658)

Process Information:

Process ID is the process ID specified when the executable started as logged in 4688. The Process Name identifies the program executable that accessed the object.

Supercharger Free Edition

Supercharger's built-in Xpath filters leave the noise behind.

Free.

Examples of 4658

The handle to an object was closed.
Subject :
   Security ID: WIN-R9H529RIO4Y\Administrator
   Account Name: Administrator
   Account Domain: WIN-R9H529RIO4Y
   Logon ID: 0x1fd23
Object:
   Object Server: Security
   Handle ID: 0xb8
Process Information:
   Process ID: 0xed0
   Process Name: C:\Windows\System32\notepad.exe

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

Mini-Seminars Covering Event ID 4658

Detecting Persistence: Top 9 Security Changes to Monitor on Windows Server

Upcoming Webinars

Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

Encyclopedia

•	Event IDs
•	All Event IDs
•	Audit Policy

Go To Event ID:

Must be a 1-5 digit number No such event ID

Security Log
Quick Reference
Chart
Download now!

User name:
Password:
	/ Forgot?
	Register

April 2024 Patch Tuesday	"Patch Tuesday - One Zero Day and Record Number of Patches! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.