Windows Security Log Event ID 4690
Operating Systems |
Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
|
Category • Subcategory | Object Access • Handle Manipulation |
Type
|
Success
|
Corresponding events
in Windows
2003 and before |
594
|
4690: An attempt was made to duplicate a handle to an object
On this page
When a program opens an object like a file, it gets a "handle" to that file which it references in subsequent operations on the object. Windows checks permissions at the time of the open (aka handle request) but not afterwards. Windows allows you to duplicate a handle and hand it off to another thread or process which then inherits whatever level of access the first program obtained to the object when the program opened. Therefore a thread impersonating a different user or a process running as a different user could exploit the potentially higher level of access of the first program for that object. And that apparently is why this event is logged. Unfortunately this event doesn't seem to provide enough information to determine if the Handle was given to a lower security thread or process. Consequently I classify this event as noise.
For an explanation of the fields in this event see events 4688 and 4656.
Do you know more about this event? If so please start a discussion and share!
Free Security Log Resources by Randy
Subject:
- Security ID: %1
- Account Name: %2
- Account Domain: %3
- Logon ID: %4
Source Handle Information:
- Source Handle ID: %5
- Source Process ID: %6
New Handle Information:
- Target Handle ID: %7
- Target Process ID: %8
Setup PowerShell Audit Log Forwarding in 4 Minutes