Event ID 4656 - Repeatedly in Security Event log
Hi Everybody, I'm investigating an issue where this event ID is being repeatedly being logged on my server 2008 r2 box. The server is running Dynamics AX 2012, SQL Server, IIS and has the latest updates installed. The server is a VM running on ESX. The event looks like this: A handle to an object was requested. Subject: Security ID: SYSTEM Account Name: servername$ Account Domain: mydomain Logon ID: 0x3e7 Object: Object Server: PlugPlayManager Object Type: Security Object Name: PlugPlaySecurityObject Handle ID: 0x0 Process Information: Process ID: 0x258 Process Name: C:\Windows\System32\svchost.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: Unknown specific access (bit 1) Access Reasons: - Access Mask: 0x2 Privileges Used for Access Check: - Restricted SID Count: 0 What I'm wondering specifically is why is the plugplaymanager generating this event repeatedly. I do have object access auditing enabled for success and failure, but there are no other events being generated in large numbers. I know we can turn off auditing or modify auditing and the event will be suppresed. I would rather find out why the event is popping up rather than suppressing it. Thanks for any help! A handle to an object was requested. Subject: Security ID: SYSTEM Account Name: AXDEV01$ Account Domain: TRICAN Logon ID: 0x3e7 Object: Object Server: PlugPlayManager Object Type: Security Object Name: PlugPlaySecurityObject Handle ID: 0x0 Process Information: Process ID: 0x258 Process Name: C:\Windows\System32\svchost.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: Unknown specific access (bit 1) Access Reasons: - Access Mask: 0x2 Privileges Used for Access Check: - Restricted SID Count: 0
June 27th, 2012 4:01pm

Hi, Event 4656 might occur if the failure audit was enabled for Handle Manipulation using auditpol. Subcategory: Handle Manipulation ID Message 4656 A handle to an object was requested. 4658 The handle to an object was closed. 4690 An attempt was made to duplicate a handle to an object. If you would like to get rid of these Audit failures 4656 then you need to run the following command: auditpol /set /subcategory:"Handle Manipulation" /failure:disable Regards,Arthur Li TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
June 28th, 2012 2:36am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics