ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security monitoring dashboard displaying Event Viewer with security audit logs
Event ID 4663InformationSecurityWindows

Windows Event ID 4663 – Security: An Attempt Was Made to Access an Object

Event ID 4663 logs when a process attempts to access a file, folder, registry key, or other securable object. This security audit event tracks object access attempts for compliance and forensic analysis.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4663Security 5 methods 12 min
Event Reference

What This Event Means

Event ID 4663 represents a critical component of Windows' object access auditing system, designed to track and log attempts to access securable objects across the operating system. When enabled, this event provides comprehensive visibility into file system access, registry modifications, and other object interactions that are essential for security monitoring and compliance requirements.

The event generates detailed logs that include the security identifier (SID) of the user or process making the access attempt, the specific object being accessed, the type of access requested (read, write, execute, delete), and whether the access was granted or denied. This granular level of detail makes Event ID 4663 particularly valuable for detecting unauthorized access attempts, tracking data exfiltration, and maintaining audit trails for regulatory compliance.

Windows generates this event through its Security Reference Monitor (SRM), which evaluates every access request against the object's Access Control List (ACL). The event fires after the access control check is complete, providing a record of the actual access attempt rather than just the intent to access. This timing is crucial for forensic analysis, as it confirms that the access attempt progressed beyond initial handle creation to actual object interaction.

The event's usefulness extends beyond security monitoring to performance analysis and troubleshooting. High volumes of Event ID 4663 entries can indicate excessive file system activity, misconfigured applications, or inefficient access patterns that impact system performance. Security teams often correlate these events with network traffic logs and application logs to build comprehensive security timelines during incident response activities.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • File or folder access when object access auditing is enabled for the specific path
  • Registry key modifications or queries with registry auditing configured
  • Named pipe access attempts by inter-process communication
  • Service account accessing protected system files or configuration data
  • Application reading or writing to audited directories like user profiles or system folders
  • Backup software accessing files with special permissions or encryption attributes
  • Antivirus software scanning files in audited locations
  • User accessing shared network resources mapped to local audited paths
  • System processes accessing audited registry keys during startup or configuration changes
  • PowerShell or command-line tools accessing audited objects during administrative tasks
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of Event ID 4663 to understand what object was accessed and by whom.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4663 by right-clicking the Security log and selecting Filter Current Log
  4. Enter 4663 in the Event IDs field and click OK
  5. Double-click on a 4663 event to view detailed information including:
    • Subject: User account that made the access attempt
    • Object: Full path and type of object accessed
    • Process Information: Process name and ID that initiated access
    • Access Request Information: Specific permissions requested
  6. Note the Access Mask value to understand what type of access was attempted (0x1 = Read, 0x2 = Write, 0x20 = Execute)
Pro tip: Use the Details tab and switch to XML view to see all available fields, including process command line arguments if configured.
02

Query Events with PowerShell for Analysis

Use PowerShell to efficiently query and analyze Event ID 4663 entries for patterns or specific objects.

  1. Open PowerShell as Administrator
  2. Query recent 4663 events with basic filtering:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4663} -MaxEvents 50 | Select-Object TimeCreated, Id, LevelDisplayName, Message
  3. Filter events for a specific object path:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4663} | Where-Object {$_.Message -like "*C:\Sensitive\*"} | Select-Object TimeCreated, Message
  4. Extract structured data from event properties:
    $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4663} -MaxEvents 100
foreach ($Event in $Events) {
    $XML = [xml]$Event.ToXml()
    $EventData = $XML.Event.EventData.Data
    [PSCustomObject]@{
        TimeCreated = $Event.TimeCreated
        SubjectUserName = ($EventData | Where-Object {$_.Name -eq 'SubjectUserName'}).'#text'
        ObjectName = ($EventData | Where-Object {$_.Name -eq 'ObjectName'}).'#text'
        ProcessName = ($EventData | Where-Object {$_.Name -eq 'ProcessName'}).'#text'
        AccessMask = ($EventData | Where-Object {$_.Name -eq 'AccessMask'}).'#text'
    }
}
  5. Export results for further analysis:
    $Results | Export-Csv -Path "C:\Temp\Event4663_Analysis.csv" -NoTypeInformation
Warning: Querying large numbers of security events can impact system performance. Use -MaxEvents parameter to limit results.
03

Configure Object Access Auditing Policies

Properly configure audit policies to control when Event ID 4663 is generated and reduce noise from unnecessary events.

  1. Open Local Security Policy by running secpol.msc or through Group Policy Management
  2. Navigate to Security SettingsAdvanced Audit Policy ConfigurationObject Access
  3. Configure the following policies based on your monitoring needs:
    • Audit File System: Enable for file and folder access monitoring
    • Audit Registry: Enable for registry key access tracking
    • Audit Handle Manipulation: Enable for detailed object handle tracking
  4. For specific file/folder auditing, configure SACLs (System Access Control Lists):
    # Set auditing on a specific folder
$Path = "C:\Sensitive"
$AuditRules = New-Object System.Security.AccessControl.FileSystemAuditRule("Everyone", "FullControl", "ContainerInherit,ObjectInherit", "None", "Success,Failure")
$ACL = Get-Acl $Path
$ACL.SetAuditRule($AuditRules)
Set-Acl -Path $Path -AclObject $ACL
  5. Verify audit policy settings:
    auditpol /get /category:"Object Access"
  6. Test the configuration by accessing the audited object and checking for Event ID 4663 generation
Pro tip: Use Global Object Access Auditing (GOAA) in Group Policy to apply consistent auditing rules across multiple systems without modifying individual SACLs.
04

Investigate Suspicious Access Patterns

Analyze Event ID 4663 patterns to identify potential security incidents or unauthorized access attempts.

  1. Create a PowerShell script to identify unusual access patterns:
    # Identify high-frequency access attempts
$StartTime = (Get-Date).AddHours(-24)
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4663; StartTime=$StartTime}

# Group by user and object to find patterns
$AccessPatterns = $Events | ForEach-Object {
    $XML = [xml]$_.ToXml()
    $EventData = $XML.Event.EventData.Data
    [PSCustomObject]@{
        User = ($EventData | Where-Object {$_.Name -eq 'SubjectUserName'}).'#text'
        Object = ($EventData | Where-Object {$_.Name -eq 'ObjectName'}).'#text'
        Process = ($EventData | Where-Object {$_.Name -eq 'ProcessName'}).'#text'
        Time = $_.TimeCreated
    }
} | Group-Object User, Object | Where-Object {$_.Count -gt 10}

$AccessPatterns | Select-Object Name, Count
  2. Check for access attempts outside business hours:
    # Find after-hours access (outside 8 AM - 6 PM)
$AfterHoursEvents = $Events | Where-Object {
    $Hour = $_.TimeCreated.Hour
    $Hour -lt 8 -or $Hour -gt 18
}
  3. Correlate with failed logon events (Event ID 4625) to identify potential attack patterns
  4. Review process names for unusual or suspicious executables accessing sensitive objects
  5. Cross-reference with network logs and endpoint detection tools for comprehensive analysis
  6. Document findings and create alerts for similar patterns in the future
Warning: High volumes of Event ID 4663 can indicate either legitimate bulk operations or potential data exfiltration attempts. Always correlate with other security events.
05

Optimize Audit Logging and Performance

Fine-tune object access auditing to balance security monitoring needs with system performance and log storage requirements.

  1. Analyze current audit log volume and performance impact:
    # Check Security log size and event count
Get-WinEvent -ListLog Security | Select-Object LogName, RecordCount, MaximumSizeInBytes, LogFilePath

# Count 4663 events in the last 24 hours
$Count = (Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4663; StartTime=(Get-Date).AddDays(-1)} -ErrorAction SilentlyContinue).Count
Write-Host "Event ID 4663 count (24h): $Count"
  2. Configure advanced audit policy to reduce noise:
    # Disable auditing for specific processes that generate excessive events
auditpol /set /subcategory:"File System" /success:enable /failure:enable
auditpol /set /subcategory:"Registry" /success:enable /failure:disable
  3. Implement conditional auditing using Expression-Based Audit Policies in Group Policy:
    • Create conditions based on user groups, process names, or object paths
    • Use staging mode to test audit policies before full deployment
  4. Configure Security log retention and archival:
    # Increase Security log size (requires restart)
Limit-EventLog -LogName Security -MaximumSize 512MB -OverflowAction OverwriteAsNeeded
  5. Set up log forwarding to centralized SIEM or log management system:
    # Configure Windows Event Forwarding subscription
wecutil cs subscription.xml
  6. Monitor system performance impact and adjust auditing scope as needed
Pro tip: Use Windows Performance Toolkit (WPT) to measure the performance impact of object access auditing on your specific workloads.

Overview

Event ID 4663 fires whenever a process attempts to access a securable object like files, folders, registry keys, or named pipes when object access auditing is enabled. This event is part of Windows' advanced security auditing framework and provides detailed information about who accessed what object, when, and with what permissions.

The event captures both successful and failed access attempts, making it invaluable for security monitoring, compliance reporting, and forensic investigations. Unlike basic file access logging, Event ID 4663 provides granular details including the specific access rights requested, the process that initiated the access, and the security context under which the access occurred.

This event only appears when you've configured object access auditing through Group Policy or local security policy. Without proper audit policy configuration, Windows won't generate these events, which is why many administrators don't see them in default installations. The event works in conjunction with Event ID 4656 (handle to object was requested) and Event ID 4658 (handle to object was closed) to provide a complete picture of object access patterns.

Frequently Asked Questions

What does Event ID 4663 mean and when does it appear?+
Event ID 4663 indicates that a process attempted to access a securable object like a file, folder, registry key, or named pipe. It only appears when object access auditing is enabled through Group Policy or local security policy. The event provides detailed information about who accessed what object, when, and with what permissions, making it essential for security monitoring and compliance reporting.
Why am I not seeing Event ID 4663 in my Event Viewer?+
Event ID 4663 requires explicit configuration to appear. You must enable object access auditing in the Advanced Audit Policy Configuration under Security Settings. Additionally, you need to configure System Access Control Lists (SACLs) on specific objects you want to monitor, or use Global Object Access Auditing policies. Without these configurations, Windows won't generate Event ID 4663 entries.
How can I reduce the volume of Event ID 4663 entries without losing important security information?+
Use targeted auditing strategies: configure SACLs only on sensitive objects rather than entire drives, exclude system processes that generate excessive noise, use Expression-Based Audit Policies to create conditional rules, and focus on failure events for security monitoring while limiting success events to critical objects. Also consider using Global Object Access Auditing with specific include/exclude filters.
What's the difference between Event ID 4663 and Event ID 4656?+
Event ID 4656 logs when a handle to an object is requested (the initial access attempt), while Event ID 4663 logs when the object is actually accessed through that handle. Event ID 4656 occurs first and indicates intent to access, while 4663 confirms the actual access occurred. For complete object access tracking, you typically need both events enabled, along with Event ID 4658 which logs when the handle is closed.
Can Event ID 4663 help detect data exfiltration or insider threats?+
Yes, Event ID 4663 is valuable for detecting suspicious access patterns that may indicate data exfiltration or insider threats. Look for unusual access volumes, after-hours access to sensitive files, access from unexpected processes or user accounts, and patterns of accessing multiple sensitive files in short timeframes. Correlate these events with network traffic logs and user behavior analytics for comprehensive threat detection.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including Event ID 4663 configuration and analysishttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Security Audit Policy SettingsOfficial documentation for configuring advanced audit policies including object access auditinghttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4663#security-auditing#object-access

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...