Windows Security Log Event ID 4657
| Operating Systems |
Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
|
Category
• Subcategory | Object Access
• Registry |
|
Type
|
Success
|
Corresponding events
in Windows
2003
and before |
567
|
4657: A registry value was modified
On this page
This event documents creation, modification and deletion of registry VALUES. This event is logged between the open (4656) and close (4658) events for the registry KEY where the value resides. See Operation Type to find out if the value was created, modified or deleted. Of course this event will only be logged if the key's audit policy is enabled for Set Value permission for the appropriate user or a group in the user is a member.
Free Security Log Resources by Randy
Subject:
The user and logon session that performed the action.
- Security ID: The SID of the account.
- Account Name: The account logon name.
- Account Domain: The domain or - in the case of local accounts - computer name.
- Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
Object:
This is the registry key and value upon whom the action was attempted.
- Object Name: The name of the registry key being accessed
- Object Value Name: The name of the registry value within the key that is being accessed
- Hanlde ID: is a semi-unique (unique between reboots) number that identifies all subsequent audited events while the object is open. Handle ID allows you to correlate to other events logged (Open 4656, Access 4663, Close 4658)
- Operation Type: (see above examples)
- New registry value created
- Existing registry value modified
- Registry value deleted
Process Information:
Process ID is the process ID specified when the executable started as logged in 4688. The Process Name identifies the program executable that accessed the object.
Change Information:
Old Value Type:
| REG_SZ |
String value |
| REG_BINARY |
Binary value |
| REG_DWORD |
Double word 32-bit value |
| REG_QWORD |
Quad word 64-bit value |
| REG_MULTI_SZ |
Mult-String value |
| REG_EXPAND_SZ |
Expandable string value |
Old Value: actual data of the value
New Value Type: see old
New Value: see old
Supercharger Free Edition
New Value Example:
A registry value was modified.
Subject:
Security ID: ACME\administrator
Account Name: administrator
Account Domain: ACME
Logon ID: 0x176293
Object:
Object Name: \REGISTRY\MACHINE\SOFTWARE\MTG
Object Value Name: Path
Handle ID: 0x124
Operation Type: New registry value created
Process Information:
Process ID: 0x8d4
Process Name: C:\Windows\regedit.exe
Change Information:
Old Value Type: -
Old Value: -
New Value Type: REG_SZ
New Value:
Value modified:
A registry value was modified.
Subject:
Security ID: ACME\administrator
Account Name: administrator
Account Domain: ACME
Logon ID: 0x176293
Object:
Object Name: \REGISTRY\MACHINE\SOFTWARE\MTG
Object Value Name: Path
Handle ID: 0x124
Operation Type: Existing registry value modified
Process Information:
Process ID: 0x8d4
Process Name: C:\Windows\regedit.exe
Change Information:
Old Value Type: REG_SZ
Old Value:
New Value Type: REG_SZ
New Value: c:\data
Value deleted:
A registry value was modified.
Subject:
Security ID: ACME\administrator
Account Name: administrator
Account Domain: ACME
Logon ID: 0x176293
Object:
Object Name: \REGISTRY\MACHINE\SOFTWARE\MTG
Object Value Name: Path
Handle ID: 0x124
Operation Type: Registry value deleted
Process Information:
Process ID: 0x8d4
Process Name: C:\Windows\regedit.exe
Change Information:
Old Value Type: REG_SZ
Old Value: c:\data
New Value Type: -
New Value: -
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection