Event ID 4656 - Repeatedly in Security Event log
Hi Everybody, I'm investigating an issue where this event ID is being repeatedly being logged on my server 2008 r2 box. The server is running Dynamics AX 2012, SQL Server, IIS and has the latest updates installed. The server is a VM running on ESX. The event looks like this: A handle to an object was requested. Subject: Security ID: SYSTEM Account Name: servername$ Account Domain: mydomain Logon ID: 0x3e7 Object: Object Server: PlugPlayManager Object Type: Security Object Name: PlugPlaySecurityObject Handle ID: 0x0 Process Information: Process ID: 0x258 Process Name: C:\Windows\System32\svchost.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: Unknown specific access (bit 1) Access Reasons: - Access Mask: 0x2 Privileges Used for Access Check: - Restricted SID Count: 0 What I'm wondering specifically is why is the plugplaymanager generating this event repeatedly. I do have object access auditing enabled for success and failure, but there are no other events being generated in large numbers. I know we can turn off auditing or modify auditing and the event will be suppresed. I would rather find out why the event is popping up rather than suppressing it. Thanks for any help! A handle to an object was requested. Subject: Security ID: SYSTEM Account Name: AXDEV01$ Account Domain: TRICAN Logon ID: 0x3e7 Object: Object Server: PlugPlayManager Object Type: Security Object Name: PlugPlaySecurityObject Handle ID: 0x0 Process Information: Process ID: 0x258 Process Name: C:\Windows\System32\svchost.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: Unknown specific access (bit 1) Access Reasons: - Access Mask: 0x2 Privileges Used for Access Check: - Restricted SID Count: 0
June 27th, 2012 3:53pm

Hi, Event 4656 might occur if the failure audit was enabled for Handle Manipulation using auditpol. Subcategory: Handle Manipulation ID Message 4656 A handle to an object was requested. 4658 The handle to an object was closed. 4690 An attempt was made to duplicate a handle to an object. If you would like to get rid of these Audit failures 4656 then you need to run the following command: auditpol /set /subcategory:"Handle Manipulation" /failure:disable Regards,Arthur Li TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
June 28th, 2012 2:28am

Thanks Arthur, but I've already read the post where you got that from. I'm not trying to supress the message, I'm trying to figure out what is triggering it.
June 28th, 2012 10:28am

I'm seeing the same events logged on my r2 server in an esxi environment. any ideas on what is triggering the events?
Free Windows Admin Tool Kit Click here and download it now
August 23rd, 2012 5:51pm

I just found this same thing. It flooded our security logs and our security logging appliances. I found that 2008 servers have object level auditing turned on for the svchost.exe file where server 2003 servers do not. I am not sure why this was changed in Server 2008 (and R2). I am trying to figure that out now as I type this. Does anyone have any thoughts?Chris Methe
August 23rd, 2012 6:35pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics