ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security monitoring dashboard showing Event Viewer with security audit logs in a professional SOC environment
Event ID 4658InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4658 – Microsoft-Windows-Security-Auditing: Handle to an Object was Closed

Event ID 4658 logs when a handle to a system object is closed, providing audit trail for object access tracking in Windows security monitoring.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4658Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 4658 represents the final stage in the Windows object access audit lifecycle. When a process opens a handle to a system object (file, registry key, process, thread, etc.), Windows can track this interaction through security auditing. The 4658 event specifically documents when that handle is closed, either explicitly by the application or implicitly when the process terminates.

The event contains several key fields: Subject information identifying the security context that closed the handle, Object details including the object type and name, Process Information showing which executable closed the handle, and Handle Information containing the unique handle ID that was closed. This data correlation allows administrators to trace complete object access patterns.

In enterprise environments, Event ID 4658 serves multiple purposes. Security teams use it to detect unauthorized access attempts, compliance officers rely on it for regulatory reporting, and system administrators leverage it for troubleshooting file locking issues. The event is particularly valuable when investigating potential data exfiltration, as it shows when sensitive files were accessed and subsequently closed.

The frequency of this event depends heavily on the auditing policy configuration and system activity. On busy file servers or domain controllers, thousands of 4658 events can generate hourly, requiring careful log management and filtering strategies to extract meaningful information.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Application explicitly closing file handles after completing read/write operations
  • Process termination causing Windows to automatically close all associated handles
  • Registry key handles being closed after configuration changes
  • Service shutdown procedures closing handles to system objects
  • User logoff events triggering closure of profile-related handles
  • Network share disconnections closing remote file handles
  • Security policy changes forcing handle closure for protected objects
  • System shutdown procedures closing all remaining open handles
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the event details to understand what object was accessed and by which process.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4658 by right-clicking the Security log and selecting Filter Current Log
  4. In the filter dialog, enter 4658 in the Event IDs field and click OK
  5. Double-click a 4658 event to view details. Key fields to examine:
    • Subject: Shows the user account that closed the handle
    • Object: Displays the object type and name
    • Process Information: Identifies the executable that closed the handle
    • Handle Information: Contains the unique handle ID
  6. Cross-reference the Handle ID with corresponding 4656 events to see when the handle was originally opened
Pro tip: Use the Handle ID to correlate 4656 (opened) and 4658 (closed) events for complete access tracking.
02

Query Events with PowerShell

Use PowerShell to efficiently query and analyze 4658 events across multiple systems or time periods.

  1. Open PowerShell as Administrator
  2. Query recent 4658 events:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4658} -MaxEvents 50 | Select-Object TimeCreated, Id, LevelDisplayName, Message
  3. Filter events by specific object types:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4658} | Where-Object {$_.Message -like '*Object Type:*File*'} | Select-Object TimeCreated, Message
  4. Analyze events from a specific process:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4658} | Where-Object {$_.Message -like '*Process Name:*notepad.exe*'} | Format-Table TimeCreated, Id -AutoSize
  5. Export events for further analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4658; StartTime=(Get-Date).AddHours(-24)} | Export-Csv -Path "C:\Temp\4658_Events.csv" -NoTypeInformation
  6. Count events by object type:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4658} -MaxEvents 1000 | ForEach-Object {($_.Message -split '\n' | Where-Object {$_ -like 'Object Type:*'}).Split(':')[1].Trim()} | Group-Object | Sort-Object Count -Descending
03

Configure Object Access Auditing Policies

Adjust auditing policies to control which object types generate 4658 events and reduce log noise.

  1. Open Group Policy Management Console or Local Group Policy Editor (gpedit.msc)
  2. Navigate to Computer ConfigurationWindows SettingsSecurity SettingsAdvanced Audit Policy ConfigurationObject Access
  3. Configure specific audit subcategories:
    • Audit File System: Controls file and folder handle auditing
    • Audit Registry: Controls registry key handle auditing
    • Audit Handle Manipulation: Controls general handle operations
  4. Set each policy to Success to audit successful handle closures, or Success and Failure for comprehensive tracking
  5. Apply the policy using:
    gpupdate /force
  6. Verify current audit settings:
    auditpol /get /category:"Object Access"
  7. For specific file/folder auditing, configure SACLs (System Access Control Lists) on target objects through PropertiesSecurityAdvancedAuditing
Warning: Enabling comprehensive object access auditing can generate massive log volumes. Start with specific objects or processes.
04

Correlate Handle Lifecycle Events

Create comprehensive audit trails by correlating 4658 events with related handle operations.

  1. Identify the Handle ID from a 4658 event you want to investigate
  2. Search for the corresponding 4656 (handle opened) event:
    $HandleId = "0x1a4c"  # Replace with actual Handle ID
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4656} | Where-Object {$_.Message -like "*Handle ID:*$HandleId*"} | Select-Object TimeCreated, Message
  3. Look for any 4663 (object accessed) events with the same Handle ID:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4663} | Where-Object {$_.Message -like "*Handle ID:*$HandleId*"} | Select-Object TimeCreated, Message
  4. Create a timeline of all handle-related events:
    $Events = @()
$Events += Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4656} | Where-Object {$_.Message -like "*Handle ID:*$HandleId*"}
$Events += Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4663} | Where-Object {$_.Message -like "*Handle ID:*$HandleId*"}
$Events += Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4658} | Where-Object {$_.Message -like "*Handle ID:*$HandleId*"}
$Events | Sort-Object TimeCreated | Format-Table TimeCreated, Id, LevelDisplayName -AutoSize
  5. Export the complete handle lifecycle for analysis:
    $Events | Sort-Object TimeCreated | Export-Csv -Path "C:\Temp\Handle_$HandleId_Lifecycle.csv" -NoTypeInformation
05

Advanced Log Analysis and Monitoring

Implement advanced monitoring solutions for proactive 4658 event analysis and alerting.

  1. Set up Windows Event Forwarding (WEF) to centralize 4658 events from multiple systems:
    # On collector server
wecutil qc /q
wecutil cs subscription.xml
  2. Create a custom event subscription XML file targeting 4658 events:
    <Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
  <SubscriptionId>Handle-Closed-Events</SubscriptionId>
  <Query>
    <![CDATA[
      <QueryList>
        <Query Id="0">
          <Select Path="Security">*[System[EventID=4658]]</Select>
        </Query>
      </QueryList>
    ]]>
  </Query>
</Subscription>
  3. Configure Windows Performance Toolkit (WPT) for advanced handle tracking:
    # Install WPT from Windows SDK
wpr -start GeneralProfile -start HandleProfile
  4. Set up automated analysis with Task Scheduler:
    # Create scheduled task for daily 4658 analysis
$Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\Analyze4658Events.ps1"
$Trigger = New-ScheduledTaskTrigger -Daily -At "02:00AM"
Register-ScheduledTask -TaskName "Daily4658Analysis" -Action $Action -Trigger $Trigger
  5. Implement log rotation and archival to manage 4658 event volume:
    # Configure Security log size and retention
Limit-EventLog -LogName Security -MaximumSize 512MB -OverflowAction OverwriteAsNeeded
Pro tip: Use SIEM solutions like Microsoft Sentinel or Splunk for enterprise-scale 4658 event analysis and correlation.

Overview

Event ID 4658 fires when Windows closes a handle to a system object that was previously opened and tracked by the security auditing subsystem. This event is part of the object access auditing category and works in conjunction with Event ID 4656 (handle opened) and 4663 (object accessed) to provide a complete audit trail of object interactions.

The event captures critical details including the process that closed the handle, the object type, and the handle ID. This information proves invaluable for security investigations, compliance auditing, and troubleshooting access-related issues. The event fires across all Windows versions that support advanced auditing policies, including the latest Windows 11 24H2 and Windows Server 2025 releases.

Understanding this event requires knowledge of Windows object management, handle lifecycle, and security auditing policies. The event only appears when object access auditing is enabled for specific object types through Group Policy or local security policy configuration.

Frequently Asked Questions

What does Event ID 4658 mean and when does it occur?+
Event ID 4658 indicates that a handle to a system object has been closed. It occurs when applications explicitly close file handles, registry keys, or other system objects, or when processes terminate and Windows automatically closes all associated handles. This event is part of the object access auditing trail and only appears when appropriate audit policies are enabled. It provides the final piece of the handle lifecycle puzzle, complementing Event ID 4656 (handle opened) and 4663 (object accessed).
How can I reduce the volume of 4658 events in my Security log?+
To reduce 4658 event volume, configure more selective object access auditing policies through Group Policy. Instead of auditing all file system or registry access, target specific high-value objects using SACLs (System Access Control Lists). Disable auditing for routine system processes by configuring process-specific exclusions. Consider adjusting the Security log size and retention policy, and implement log forwarding to centralized systems. You can also filter out events from known safe processes using PowerShell scripts or SIEM rules.
Can Event ID 4658 help detect security threats or unauthorized access?+
Yes, Event ID 4658 is valuable for security monitoring when correlated with other events. Unusual patterns of handle closures, especially for sensitive files or registry keys, can indicate malicious activity. By analyzing the timing between 4656 (open) and 4658 (close) events, you can identify processes that access files for unusually long periods, potentially indicating data exfiltration. Correlating 4658 events with process creation (4688) and network activity can reveal suspicious file access patterns that warrant investigation.
Why am I not seeing Event ID 4658 in my Security log?+
Event ID 4658 only appears when object access auditing is properly configured. Check that 'Audit Handle Manipulation' is enabled in Advanced Audit Policy Configuration under Object Access. For file-specific events, ensure 'Audit File System' is enabled and that target files/folders have appropriate SACLs configured. Verify that the Security log isn't full or configured to overwrite events. Also confirm that the processes you're monitoring actually open handles to audited objects - some applications may use different access methods that don't trigger handle auditing.
How do I correlate Event ID 4658 with other security events for investigation?+
Use the Handle ID field to correlate 4658 events with corresponding 4656 (handle opened) and 4663 (object accessed) events. The Process ID and Process Name fields help link to Event ID 4688 (process creation) events. Cross-reference the Subject fields with logon events (4624/4625) to understand user context. For comprehensive investigation, create PowerShell scripts that query multiple event IDs simultaneously and sort by timestamp. Consider using tools like Windows Event Log Analyzer or SIEM platforms that can automatically correlate related events and present unified timelines.
Documentation

References (2)

1
Microsoft Security Auditing Events DocumentationComprehensive guide to Windows security auditing events including object access auditing configuration and best practices.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Audit Policy ConfigurationOfficial documentation for configuring advanced audit policies in Windows, including object access auditing subcategories.https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4658#security-auditing#object-access

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...