Event ID 4656 - Repeatedly in Security Event log
Hi Everybody,
I'm investigating an issue where this event ID is being repeatedly being logged on my server 2008 r2 box. The server is running Dynamics AX 2012, SQL Server, IIS and has the latest updates installed. The server is a VM running on ESX. The event looks
like this:
A handle to an object was requested.
Subject:
Security ID: SYSTEM
Account Name: servername$
Account Domain: mydomain
Logon ID: 0x3e7
Object:
Object Server: PlugPlayManager
Object Type: Security
Object Name: PlugPlaySecurityObject
Handle ID: 0x0
Process Information:
Process ID: 0x258
Process Name: C:\Windows\System32\svchost.exe
Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: Unknown specific access (bit 1)
Access Reasons: -
Access Mask: 0x2
Privileges Used for Access Check: -
Restricted SID Count: 0
What I'm wondering specifically is why is the plugplaymanager generating this event repeatedly. I do have object access auditing enabled for success and failure, but there are no other events being generated in large numbers. I know we can turn off auditing
or modify auditing and the event will be suppresed. I would rather find out why the event is popping up rather than suppressing it.
Thanks for any help!
A handle to an object was requested.
Subject:
Security ID: SYSTEM
Account Name: AXDEV01$
Account Domain: TRICAN
Logon ID: 0x3e7
Object:
Object Server: PlugPlayManager
Object Type: Security
Object Name: PlugPlaySecurityObject
Handle ID: 0x0
Process Information:
Process ID: 0x258
Process Name: C:\Windows\System32\svchost.exe
Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: Unknown specific access (bit 1)
Access Reasons: -
Access Mask: 0x2
Privileges Used for Access Check: -
Restricted SID Count: 0
June 27th, 2012 3:53pm
Hi,
Event 4656 might occur if the failure audit was enabled for Handle Manipulation using auditpol.
Subcategory: Handle Manipulation
ID Message
4656 A handle to an object was requested.
4658 The handle to an object was closed.
4690 An attempt was made to duplicate a handle to an object.
If you would like to get rid of these Audit failures 4656 then you need to run the following command:
auditpol /set /subcategory:"Handle Manipulation" /failure:disable
Regards,Arthur Li
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
June 28th, 2012 2:28am
Thanks Arthur, but I've already read the post where you got that from. I'm not trying to supress the message, I'm trying to figure out what is triggering it.
June 28th, 2012 10:28am
I'm seeing the same events logged on my r2 server in an esxi environment. any ideas on what is triggering the events?
Free Windows Admin Tool Kit Click here and download it now
August 23rd, 2012 5:51pm
I just found this same thing. It flooded our security logs and our security logging appliances. I found that 2008 servers have object level auditing turned on for the svchost.exe file where server 2003 servers do not. I am not sure why
this was changed in Server 2008 (and R2). I am trying to figure that out now as I type this. Does anyone have any thoughts?Chris Methe
August 23rd, 2012 6:35pm