Windows Security Log Event ID 4907
Operating Systems |
Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
|
Category • Subcategory | Policy Change • Audit Policy Change |
Type
|
Success
|
Corresponding events
in Windows
2003 and before |
|
4907: Auditing settings on object were changed
On this page
When you change the audit SACL of an object, such as a file or folder, Windows logs this event. In the example below, Administrator configured a new audit policy on C:\Users\Administrator\testfolder.
Free Security Log Resources by Randy
Subject:
The user and logon session that performed the action.
- Security ID: The SID of the account.
- Account Name: The account logon name.
- Account Domain: The domain or - in the case of local accounts - computer name.
- Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
Object:
This is the object whose audit policy was changed.
- Object Server: always "Security"
- Object Type: "File" for file or folder but can be other types of objects such as Key, SAM, SERVICE OBJECT, etc.
- Object Name: The name of the object being accessed
- Handle ID: is a semi-unique (unique between reboots) number that identifies all subsequent audited events while the object is open. Handle ID allows you to correlate to other events logged (Open 4656, Access 4663, Close 4658)
Process Information:
- Process ID: The process ID specified when the executable started as logged in 4688.
- Process Name: Identifies the program executable that accessed the object.
Auditing Settings:
- Original Security Descriptor: blank if no audit policy configured. Otherwise the old audit policy (SACL) of the object in SDDL format (Security Descriptor Definition Language). See http://msdn2.microsoft.com/en-us/library/aa379567.aspx
- New Security Descriptor: The new audit policy (SACL) of the object in SDDL format (Security Descriptor Definition Language)
Supercharger Free Edition
Supercharger's built-in Xpath filters leave the noise behind.
Free.
Auditing settings on object were changed.
Subject:
Security ID: WIN-R9H529RIO4Y\Administrator
Account Name: Administrator
Account Domain: WIN-R9H529RIO4Y
Logon ID: 0x1fd23
Object:
Object Server: Security
Object Type: File
Object Name: C:\Users\Administrator\testfolder
Handle ID: 0x1d0
Process Information:
Process ID: 0x8c0
Process Name: C:\Windows\explorer.exe
Auditing Settings:
Original Security Descriptor:
New Security Descriptor: S:ARAI (AU;OIIOSAFA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection