Windows Security Log Event ID 4907

Operating Systems	Windows 2008 R2 and 7 Windows 2012 R2 and 8.1 Windows 2016 and 10 Windows Server 2019 and 2022
Category • Subcategory	Policy Change • Audit Policy Change
Type	Success
Corresponding events in Windows 2003 and before

4907: Auditing settings on object were changed

On this page

Description of this event
Field level details
Examples
Mini-seminars on this event

When you change the audit SACL of an object, such as a file or folder, Windows logs this event. In the example below, Administrator configured a new audit policy on C:\Users\Administrator\testfolder.

Free Security Log Resources by Randy

Description Fields in 4907

Subject:

The user and logon session that performed the action.

Security ID: The SID of the account.
Account Name: The account logon name.
Account Domain: The domain or - in the case of local accounts - computer name.
Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

Object:

This is the object whose audit policy was changed.

Object Server: always "Security"
Object Type: "File" for file or folder but can be other types of objects such as Key, SAM, SERVICE OBJECT, etc.
Object Name: The name of the object being accessed
Handle ID: is a semi-unique (unique between reboots) number that identifies all subsequent audited events while the object is open. Handle ID allows you to correlate to other events logged (Open 4656, Access 4663, Close 4658)

Process Information:

Process ID: The process ID specified when the executable started as logged in 4688.
Process Name: Identifies the program executable that accessed the object.

Auditing Settings:

Original Security Descriptor: blank if no audit policy configured. Otherwise the old audit policy (SACL) of the object in SDDL format (Security Descriptor Definition Language). See http://msdn2.microsoft.com/en-us/library/aa379567.aspx
New Security Descriptor: The new audit policy (SACL) of the object in SDDL format (Security Descriptor Definition Language)

Supercharger Free Edition

Supercharger's built-in Xpath filters leave the noise behind.

Free.

Examples of 4907

Auditing settings on object were changed.

Subject:

   Security ID: WIN-R9H529RIO4Y\Administrator
   Account Name: Administrator
   Account Domain: WIN-R9H529RIO4Y
   Logon ID: 0x1fd23

Object:

   Object Server: Security
   Object Type: File
   Object Name: C:\Users\Administrator\testfolder
   Handle ID: 0x1d0

Process Information:

Process ID: 0x8c0
Process Name: C:\Windows\explorer.exe

Auditing Settings:

   Original Security Descriptor:
   New Security Descriptor: S:ARAI (AU;OIIOSAFA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

Mini-Seminars Covering Event ID 4907

Building a Security Dashboard for Your Senior Executives

Upcoming Webinars

Additional Resources

Encyclopedia

•	Event IDs
•	All Event IDs
•	Audit Policy

Go To Event ID:

Must be a 1-5 digit number No such event ID

Security Log
Quick Reference
Chart
Download now!

User name:
Password:
	/ Forgot?
	Register

April 2024 Patch Tuesday	"Patch Tuesday - One Zero Day and Record Number of Patches! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.