Event ID 4656: A Handle to an Object was Requested [Fix]

It appears when handle to object is requested

Reading time icon 5 min. read


Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more

Key notes

  • Event id 4656 is an informational event that describes the situation when the handle to an object was requested by some source.
  • The event id helps monitor unauthorized requests and enforce conventions and compliances.
event id 4656

Event id 4656 is a Windows event that occurs when the user accesses a file, folder, or system registry through the Microsoft-Windows-Security-Auditing service.

In this comprehensive guide, we will delve into essential details of the event id 4656, why it occurs, and the actions you should undertake when the event id is logged.

What is Event ID 4656?

Event id 4656 is an informational event that indicates that specific access was requested for an object. The object could vary from a file system, kernel, or registry object to a file system object located on external storage or a removable device.

In case, the request to access the request object is declined, a failure event is generated.

The event id 4656 is generated only if the System Access Control List (SACL) of the requested object has the necessary Access Control Entries (ACE) to manage the use of specific access rights.

This event informs that access to an object was requested and the results of the request were logged. However, the event does not give details of the operation that was performed. 

Some of the essential field descriptions of the event id 4656 are as follows: 

  • Account Name โ€“ The name of the account that requested a handle for an object.
  • Object Type โ€“ The type of object accessed during the operation.
  • Object Name โ€“ The name or an identifier for an object for which access was requested. Example – file, path
  • Process Name โ€“ The address path and name of the executable file requesting the object.
  • Accesses โ€“ The list of the access rights requested by the object. 

What causes the event id 4656? 

The event id 4656 helps monitor several events that execute on your Windows PC. Some of them are: 

  • Verify if the unauthorized or restricted processes are requesting objects. 
  • Access attempts for sensitive or essential objects. 
  • Actions of a particular high-priority account. 
  • Ascertain the anomalies and malicious actions of the suspicious accounts. 
  • Verify that non-active, external, and restricted accounts are not in use. 
  • Assure that only the authorized accounts can execute some actions or request access. 
  • You can also configure the event id to enforce conventions and compliances. 

Now that you have a fair idea of the event id 4656, letโ€™s see what should be your course of action when the event id is repeatedly logged into the event viewer. 

What to do if I encounter Event Id 4656?

1. Verify the event details 

  1. Press the Windows key, type event viewer in the search bar on top, and click the Open option on the right result section. event id 4656
  2. Click Windows Logs on the left pane to view the related settings and click Security
  3. The list of all the events logs will appear in the right section, scroll down and locate event id 4656 in the list and select it. 
  4. Navigate to the General tab on the bottom and review the security change and the request handles for the file or folder. event id 4656

If the request is legitimate, you do not have to take any action. However, if the request seems to originate from a suspicious source, proceed to the next solution. 

2. Modify the Local Security Policy 

  1. Use the Windows + R shortcut to launch the Run dialog box, type the following command in the text box, and press the Enter key. secpol.msc
  2. Click Security Settings on the left sidebar to expand the console tree and select the Advanced Audit Policy Configuration
  3. Next, expand the System Audit Policies node and select the Object Access option. 
  4. Double-click Audit Handle Manipulation on the right section and review the audit settings. 
  5. If the audit settings are set as Configured, change it to Not Configured
  6. Press the Apply button to save the changes. 

Reconfiguring the Advanced Audit Policy using the local security policy editor should help fix the event id 4656 if these are logged in unnecessarily. 

3. Use the group policy editor 

  1. Use the Windows + R shortcut to launch the dialog box and type the following command and click the OK button to execute it. rsop.msc
  2. Expand the Computer Configuration console in the left panel and click the Windows Settings node. 
  3. Next, click to expand Security Settings followed by Local Policies and then Audio Policy from the left sidebar. event id 4656
  4. Note down the Source Group Policy Object of Audit Object Access, the root setting for Audit Handle Manipulation.
  5. Execute the following command in the Run window by pressing the Enter key. Gpmc.msc
  6. Navigate to the Source Group Policy Object you noted previously and then look for Audit Handle Manipulation.
  7. Right-click Audit Handle Manipulation and choose Edit from the context menu. 
  8. Set the setting to Disabled and press the OK button to save the changes. 

You will have to modify the specific group policy object if the setting is inherited from any other GPO to Local Security Policy.

Thatโ€™s all about this guide to resolve the event id 4656 if you encounter it frequently. However, you should know that the solution may change depending on the specific scenario when the event id 4656 appears on the event viewer.  

Refer to this guide, for a detailed understanding of the event viewer and how can you leverage it to monitor all the events.

Reach out to us in the comment section if you want to share valuable information and feedback.

More about the topics: event log viewers, Event Viewer

User forum

0 messages