ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security monitoring dashboard displaying Event Viewer security logs in a professional SOC environment
Event ID 4866InformationSecurityWindows

Windows Event ID 4866 – Security: Object Operation Attempted

Event ID 4866 indicates an attempt to perform an operation on a security object, typically related to file system or registry access control modifications in Windows environments.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4866Security 5 methods 12 min
Event Reference

What This Event Means

Event ID 4866 represents a comprehensive security auditing mechanism within Windows that monitors attempts to perform operations on security objects. When this event fires, it indicates that a user or process has attempted to modify, access, or manipulate the security attributes of a system object such as files, folders, registry keys, or other securable resources.

The event captures critical forensic information including the Security Identifier (SID) of the requesting account, the target object's path or identifier, the specific operation requested, and the outcome of the attempt. This granular logging capability makes Event ID 4866 invaluable for security teams implementing defense-in-depth strategies and compliance frameworks requiring detailed access logging.

In Windows Server 2025 and Windows 11 24H2 environments, this event has been enhanced with additional context fields and improved correlation capabilities. The event integrates with Windows Defender Advanced Threat Protection (ATP) and Microsoft Sentinel for automated threat detection and response workflows.

Organizations typically see this event during legitimate administrative activities such as permission changes, backup operations, or security software scans. However, unusual patterns or unexpected sources can indicate potential security incidents requiring immediate investigation.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Administrative permission changes on files, folders, or registry keys
  • Security software performing deep system scans or real-time protection activities
  • Backup and restore operations accessing protected system resources
  • Group Policy application modifying security descriptors on system objects
  • Windows Update or system maintenance tasks updating file permissions
  • Third-party applications attempting to access restricted system areas
  • Malware or unauthorized software trying to modify security settings
  • User account privilege escalation attempts
  • System service startup or configuration changes affecting security objects
Resolution Methods

Troubleshooting Steps

01

Analyze Event Details in Event Viewer

Start by examining the complete event details to understand the context and scope of the security object operation.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4866 by right-clicking the Security log and selecting Filter Current Log
  4. Enter 4866 in the Event IDs field and click OK
  5. Double-click on recent Event ID 4866 entries to examine details including:
    • Subject Security ID and Account Name
    • Object Server and Type
    • Object Name (file path or registry key)
    • Handle ID and Process Information
    • Access Request Information
  6. Note the timestamp patterns and frequency to identify normal vs. suspicious activity
Pro tip: Export filtered results to CSV for analysis in Excel or PowerBI using the Actions menu in Event Viewer.
02

PowerShell Investigation and Correlation

Use PowerShell to query and analyze Event ID 4866 occurrences with advanced filtering and correlation capabilities.

  1. Open PowerShell as Administrator
  2. Query recent Event ID 4866 entries:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4866} -MaxEvents 50 | Select-Object TimeCreated, Id, LevelDisplayName, Message
  3. Filter by specific user account or time range:
    $StartTime = (Get-Date).AddHours(-24)
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4866; StartTime=$StartTime}
$Events | Where-Object {$_.Message -like '*username*'}
  4. Extract and analyze object paths being accessed:
    $Events | ForEach-Object {
    $Message = $_.Message
    if ($Message -match 'Object Name:\s+(.+)') {
        [PSCustomObject]@{
            Time = $_.TimeCreated
            ObjectName = $matches[1].Trim()
            User = ($Message | Select-String 'Account Name:\s+(.+)').Matches[0].Groups[1].Value
        }
    }
} | Group-Object ObjectName | Sort-Object Count -Descending
  5. Check for correlation with other security events:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=@(4656,4658,4663,4866); StartTime=$StartTime} | Sort-Object TimeCreated
03

Configure Advanced Audit Policies

Optimize audit policy settings to ensure proper Event ID 4866 logging while managing log volume effectively.

  1. Open Local Security Policy by running secpol.msc as Administrator
  2. Navigate to Advanced Audit Policy ConfigurationObject Access
  3. Configure the following policies:
    • Audit File System: Enable Success and Failure
    • Audit Registry: Enable Success and Failure
    • Audit Handle Manipulation: Enable Success for detailed tracking
  4. Apply settings via Group Policy for domain environments:
    gpupdate /force
  5. Verify current audit settings:
    auditpol /get /category:"Object Access"
  6. Configure specific file or registry auditing using icacls:
    # Enable auditing on specific folder
icacls "C:\Critical\Path" /setowner Administrators /T
icacls "C:\Critical\Path" /grant:r Everyone:(OI)(CI)F /T
Warning: Excessive audit logging can impact system performance and generate large log files. Configure auditing selectively on critical resources only.
04

Process and Handle Analysis

Investigate the processes and handles associated with Event ID 4866 to identify the root cause and assess security implications.

  1. Extract process information from Event ID 4866 details:
    $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4866} -MaxEvents 100
$ProcessInfo = $Events | ForEach-Object {
    $Message = $_.Message
    if ($Message -match 'Process Name:\s+(.+)') {
        $ProcessName = $matches[1].Trim()
        if ($Message -match 'Process ID:\s+(\w+)') {
            $ProcessId = $matches[1].Trim()
            [PSCustomObject]@{
                Time = $_.TimeCreated
                ProcessName = $ProcessName
                ProcessId = $ProcessId
            }
        }
    }
}
$ProcessInfo | Group-Object ProcessName | Sort-Object Count -Descending
  2. Cross-reference with running processes:
    Get-Process | Where-Object {$_.ProcessName -in ($ProcessInfo.ProcessName | Select-Object -Unique)}
  3. Check process digital signatures and reputation:
    $ProcessInfo.ProcessName | Select-Object -Unique | ForEach-Object {
    $Signature = Get-AuthenticodeSignature $_
    [PSCustomObject]@{
        Process = $_
        Status = $Signature.Status
        Signer = $Signature.SignerCertificate.Subject
    }
}
  4. Monitor handle usage patterns using Process Monitor or PowerShell:
    # Get handle information for suspicious processes
Get-Process | Where-Object {$_.ProcessName -eq 'suspicious_process'} | Select-Object Id, ProcessName, Handles
05

Advanced Threat Hunting and Response

Implement comprehensive threat hunting techniques to identify potential security incidents related to Event ID 4866 patterns.

  1. Create a baseline of normal Event ID 4866 activity:
    # Collect 7 days of baseline data
$BaselineStart = (Get-Date).AddDays(-7)
$BaselineEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4866; StartTime=$BaselineStart}
$Baseline = $BaselineEvents | Group-Object @{Expression={$_.TimeCreated.Hour}} | Select-Object Name, Count
$Baseline | Export-Csv "C:\Temp\Event4866_Baseline.csv" -NoTypeInformation
  2. Implement anomaly detection for unusual patterns:
    # Detect unusual access patterns
$RecentEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4866} -MaxEvents 1000
$HourlyCount = $RecentEvents | Group-Object @{Expression={$_.TimeCreated.Hour}} | Select-Object Name, Count
$Anomalies = $HourlyCount | Where-Object {$_.Count -gt ($Baseline | Where-Object {$_.Name -eq $_.Name}).Count * 3}
  3. Set up automated monitoring with Windows Task Scheduler:
    # Create monitoring script
$ScriptPath = "C:\Scripts\Monitor4866.ps1"
$Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File $ScriptPath"
$Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 15)
Register-ScheduledTask -TaskName "Monitor Event 4866" -Action $Action -Trigger $Trigger
  4. Integrate with SIEM or Microsoft Sentinel:
    # Export events in JSON format for SIEM ingestion
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4866} -MaxEvents 100
$Events | Select-Object TimeCreated, Id, LevelDisplayName, Message | ConvertTo-Json | Out-File "C:\Logs\Event4866_Export.json"
  5. Implement incident response procedures for confirmed threats:
    • Isolate affected systems from network
    • Preserve forensic evidence
    • Analyze related security events (4624, 4625, 4648)
    • Review user account activities and privileges
    • Update security policies and access controls
Pro tip: Use Windows Performance Toolkit (WPT) for advanced system tracing when investigating complex security incidents involving Event ID 4866.

Overview

Event ID 4866 fires when Windows Security Auditing detects an attempt to perform an operation on a security object. This event typically occurs during file system access control list (ACL) modifications, registry security descriptor changes, or other security-related object operations. The event captures both successful and failed attempts to modify security attributes on system objects.

This event is part of Windows Advanced Audit Policy Configuration and requires Object Access auditing to be enabled. It commonly appears in enterprise environments where administrators monitor security changes to critical system resources. The event provides detailed information about the user account, target object, and specific operation attempted.

Understanding Event ID 4866 is crucial for security monitoring, compliance auditing, and forensic investigations. It helps track unauthorized access attempts and legitimate administrative changes to system security configurations.

Frequently Asked Questions

What does Event ID 4866 specifically indicate in Windows security logs?+
Event ID 4866 indicates that an attempt was made to perform an operation on a security object within the Windows system. This includes operations like modifying access control lists (ACLs), changing file or registry permissions, or accessing protected system resources. The event captures both successful and failed attempts, providing detailed information about the user account, target object, and specific operation requested. It's generated when Windows Security Auditing detects these security-related activities and is essential for monitoring unauthorized access attempts and legitimate administrative changes.
How can I distinguish between legitimate and suspicious Event ID 4866 occurrences?+
To distinguish legitimate from suspicious Event ID 4866 events, analyze several key factors: timing patterns (legitimate admin work typically occurs during business hours), user accounts involved (known admin accounts vs. unexpected users), target objects (system files vs. user data), and process names (known system processes vs. unusual executables). Establish a baseline of normal activity patterns and look for anomalies such as unusual access times, unfamiliar processes, or attempts to access sensitive system areas. Cross-reference with other security events and verify that administrative activities align with scheduled maintenance or known business processes.
Why am I seeing frequent Event ID 4866 entries and should I be concerned?+
Frequent Event ID 4866 entries are often normal in active Windows environments, especially on servers or systems with security software, backup solutions, or regular administrative activities. Common legitimate causes include antivirus scans, Windows Updates, Group Policy applications, and backup operations. However, you should investigate if you notice unusual patterns such as access attempts outside business hours, unfamiliar user accounts, or targeting of sensitive system files. Monitor the frequency, timing, and context of these events. If they correlate with system performance issues or other security alerts, conduct a deeper investigation to rule out malicious activity.
How do I configure Windows to generate Event ID 4866 for specific files or folders?+
To configure Windows to generate Event ID 4866 for specific resources, you need to enable Object Access auditing in the Advanced Audit Policy and configure auditing on target objects. First, enable 'Audit File System' and 'Audit Registry' policies in Local Security Policy under Advanced Audit Policy Configuration. Then, use the icacls command or File Properties Security tab to enable auditing on specific files or folders. For example, run 'icacls C:\SensitiveFolder /setowner Administrators /T' followed by configuring SACL (System Access Control List) entries. This selective approach helps manage log volume while monitoring critical resources effectively.
Can Event ID 4866 help detect advanced persistent threats (APTs) in my environment?+
Yes, Event ID 4866 can be valuable for detecting APT activities, particularly during the lateral movement and privilege escalation phases. APTs often attempt to access sensitive files, modify security settings, or manipulate system configurations, which generate Event ID 4866 entries. Look for patterns such as unusual access to system files, attempts to modify security descriptors on critical resources, or access from compromised accounts to sensitive areas. Combine Event ID 4866 analysis with other security events (4624, 4625, 4648) and implement correlation rules in your SIEM. However, APT detection requires comprehensive monitoring beyond just this event, including network traffic analysis, endpoint detection, and behavioral analytics.
Documentation

References (2)

1
Microsoft Security Auditing Events DocumentationComprehensive guide to Windows security auditing events and configurationhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Audit Policy ConfigurationOfficial documentation for configuring advanced audit policies in Windowshttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4866#security-auditing#object-access

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...