ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security monitoring dashboard displaying event logs and audit information in a cybersecurity operations center
Event ID 4890InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4890 – Microsoft-Windows-Security-Auditing: A handle to an object was requested

Event ID 4890 logs when a process requests a handle to a system object. This security audit event tracks object access attempts for compliance and security monitoring purposes.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4890Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 4890 represents a fundamental component of Windows' security auditing infrastructure. When enabled through Group Policy or local security policy, this event captures every attempt by a process to obtain a handle to a system object. The handle request is the first step in the Windows object access model – before any process can interact with a file, registry key, process, or other system resource, it must first obtain a handle.

The event provides granular details about the access attempt, including the specific access rights being requested (read, write, execute, delete, etc.), the object's security descriptor, and whether the request was granted or denied. This information is crucial for understanding access patterns and identifying potential security violations.

Modern Windows versions generate this event for various object types including files, directories, registry keys, named pipes, processes, threads, tokens, and synchronization objects. The event's rich metadata enables correlation with other security events to build comprehensive audit trails. Security teams use this event to monitor privileged access, track data exfiltration attempts, and ensure compliance with regulatory requirements like SOX, HIPAA, and GDPR.

The event's frequency can be substantial in busy environments, making proper filtering and analysis tools essential. Windows Event Forwarding (WEF) and centralized logging solutions help manage the volume while preserving critical security insights.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Process attempting to open a file or directory handle
  • Application accessing registry keys or values
  • Service requesting handle to another process or thread
  • Security software scanning system objects
  • Backup software accessing files for backup operations
  • System maintenance tasks accessing protected resources
  • User applications opening documents or executables
  • Malware attempting to access sensitive system objects
  • Administrative tools performing system management tasks
  • Windows Update accessing system files during updates
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the event details to understand the context and scope of the object access request.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4890 by right-clicking the Security log and selecting Filter Current Log
  4. In the filter dialog, enter 4890 in the Event IDs field
  5. Double-click on a 4890 event to view detailed information including:
    • Subject: User account making the request
    • Object: Target object path and type
    • Process Information: Executable name and process ID
    • Access Request Information: Requested access rights
  6. Note the Object Name field to identify which resource was accessed
  7. Check the Access Mask value to understand requested permissions
Pro tip: Use the Details tab in XML view to see all available fields for programmatic analysis.
02

Query Events with PowerShell

Use PowerShell to efficiently query and analyze Event ID 4890 occurrences across time ranges and specific criteria.

  1. Open PowerShell as Administrator
  2. Query recent 4890 events:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4890} -MaxEvents 50 | Select-Object TimeCreated, Id, LevelDisplayName, Message
  3. Filter events by specific object types:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4890; StartTime=(Get-Date).AddHours(-24)} | Where-Object {$_.Message -like "*\Windows\System32\*"}
  4. Extract key information from events:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4890} -MaxEvents 100 | ForEach-Object {
    $xml = [xml]$_.ToXml()
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        SubjectUserName = $xml.Event.EventData.Data[1].'#text'
        ObjectName = $xml.Event.EventData.Data[6].'#text'
        ProcessName = $xml.Event.EventData.Data[9].'#text'
        AccessMask = $xml.Event.EventData.Data[10].'#text'
    }
}
  5. Export results for further analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4890; StartTime=(Get-Date).AddDays(-7)} | Export-Csv -Path "C:\Temp\Event4890_Analysis.csv" -NoTypeInformation
Warning: Querying large numbers of security events can impact system performance. Use time filters and MaxEvents parameter appropriately.
03

Configure Object Access Auditing Policies

Properly configure auditing policies to control when Event ID 4890 is generated and ensure you're capturing the right level of detail.

  1. Open Group Policy Management Console or Local Group Policy Editor (gpedit.msc)
  2. Navigate to Computer ConfigurationWindows SettingsSecurity SettingsAdvanced Audit Policy ConfigurationObject Access
  3. Configure the following policies based on your monitoring needs:
    • Audit File System: Enable for file and folder access
    • Audit Registry: Enable for registry key access
    • Audit Handle Manipulation: Enable for handle operations
    • Audit Kernel Object: Enable for system object access
  4. Set each policy to Success and Failure for comprehensive monitoring
  5. Apply the policy using:
    gpupdate /force
  6. Verify policy application:
    auditpol /get /category:"Object Access"
  7. For specific file/folder auditing, configure SACL (System Access Control List):
    icacls "C:\Sensitive\" /grant "Everyone:(OI)(CI)F" /audit "Everyone:(OI)(CI)F"
Pro tip: Use Advanced Audit Policy Configuration instead of basic audit policies for granular control and better performance.
04

Analyze Access Patterns and Correlate Events

Perform advanced analysis to identify suspicious patterns, correlate with other security events, and build comprehensive audit trails.

  1. Create a PowerShell script to analyze access patterns:
    # Analyze 4890 events for unusual patterns
$events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4890; StartTime=(Get-Date).AddDays(-1)}

$analysis = $events | ForEach-Object {
    $xml = [xml]$_.ToXml()
    [PSCustomObject]@{
        Time = $_.TimeCreated
        User = $xml.Event.EventData.Data[1].'#text'
        Object = $xml.Event.EventData.Data[6].'#text'
        Process = $xml.Event.EventData.Data[9].'#text'
        AccessMask = $xml.Event.EventData.Data[10].'#text'
    }
}

# Group by user to identify high-volume access
$analysis | Group-Object User | Sort-Object Count -Descending | Select-Object Name, Count
  2. Correlate with logon events (4624) to track user sessions:
    $logons = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624; StartTime=(Get-Date).AddHours(-2)}
$objectAccess = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4890; StartTime=(Get-Date).AddHours(-2)}

# Cross-reference logon times with object access
  3. Identify access to sensitive locations:
    $sensitiveObjects = @("*\Windows\System32\config\*", "*\Users\*\Documents\*", "*\Program Files\*")
$events | Where-Object {$_.Message -match ($sensitiveObjects -join "|")}
  4. Set up automated monitoring with scheduled tasks:
    $action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\Monitor4890.ps1"
$trigger = New-ScheduledTaskTrigger -Daily -At "09:00"
Register-ScheduledTask -TaskName "Monitor4890Events" -Action $action -Trigger $trigger
  5. Export findings to SIEM or log analysis platform for long-term trending
Pro tip: Combine Event ID 4890 with 4656 (handle requested), 4658 (handle closed), and 4663 (object accessed) for complete object access lifecycle tracking.
05

Implement Advanced Monitoring and Alerting

Deploy enterprise-grade monitoring solutions to handle high-volume 4890 events and implement intelligent alerting for security incidents.

  1. Configure Windows Event Forwarding (WEF) for centralized collection:
    # On collector server
wecutil cs subscription.xml

# subscription.xml content:
<Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
    <SubscriptionId>Security4890Collection</SubscriptionId>
    <Query><![CDATA[
        <QueryList>
            <Query Id="0">
                <Select Path="Security">*[System[EventID=4890]]</Select>
            </Query>
        </QueryList>
    ]]></Query>
</Subscription>
  2. Set up custom Windows Performance Toolkit (WPT) traces for detailed analysis:
    wpr -start GeneralProfile -start CPU -start FileIO
  3. Configure Microsoft Sentinel (if available) with custom KQL queries:
    SecurityEvent
| where EventID == 4890
| where TimeGenerated > ago(1h)
| summarize count() by Account, ObjectName
| where count_ > 100
  4. Implement PowerShell-based real-time monitoring:
    # Real-time event monitoring
Register-WmiEvent -Query "SELECT * FROM Win32_NTLogEvent WHERE LogFile='Security' AND EventCode=4890" -Action {
    $event = $Event.SourceEventArgs.NewEvent
    if ($event.Message -match "sensitive_pattern") {
        Send-MailMessage -To "security@company.com" -Subject "Suspicious 4890 Event" -Body $event.Message
    }
}
  5. Create custom Event Log views for rapid triage:
    • Open Event ViewerCustom ViewsCreate Custom View
    • Filter by Event ID 4890 and specific criteria
    • Save as "Critical Object Access" for quick access
  6. Integrate with third-party SIEM solutions using standard syslog forwarding or API connectors
Warning: High-frequency 4890 events can overwhelm logging infrastructure. Implement proper filtering and retention policies to manage storage and performance impact.

Overview

Event ID 4890 fires when a process requests a handle to a system object such as files, registry keys, processes, or threads. This event is part of Windows' object access auditing framework and appears in the Security log when object access auditing policies are enabled. The event captures critical details including the requesting process, target object, access rights requested, and the security context under which the request was made.

This event is essential for security monitoring, compliance auditing, and forensic investigations. It helps administrators track who accessed what resources and when, making it invaluable for detecting unauthorized access attempts or suspicious activity patterns. The event fires before the actual access occurs, logging the intent to access rather than successful access completion.

In Windows Server 2025 and Windows 11 24H2, Microsoft enhanced the event's context information to include additional process telemetry and improved correlation with other security events. The event integrates with Windows Defender Advanced Threat Protection (ATP) and Microsoft Sentinel for advanced threat detection scenarios.

Frequently Asked Questions

What does Event ID 4890 mean and when does it occur?+
Event ID 4890 indicates that a process has requested a handle to a system object. This event occurs whenever any application, service, or system process attempts to access files, registry keys, processes, threads, or other Windows objects. The event is generated before the actual access occurs, logging the intent and requested permissions. It's part of Windows' object access auditing framework and only appears when appropriate audit policies are enabled. The event provides crucial information for security monitoring, including the requesting process, target object, user context, and specific access rights requested.
How can I reduce the volume of Event ID 4890 events without losing security visibility?+
To manage 4890 event volume while maintaining security coverage, implement targeted auditing strategies. Use Advanced Audit Policy Configuration to enable auditing only for critical object types like 'Audit File System' for sensitive directories rather than all file access. Configure System Access Control Lists (SACLs) on specific high-value targets instead of broad system-wide auditing. Implement event filtering at the collection level using Windows Event Forwarding subscriptions with XPath queries to capture only events matching specific criteria. Consider using success-only auditing for routine operations and success/failure for sensitive resources. Deploy centralized logging with intelligent filtering rules that prioritize events based on object sensitivity, user privilege level, and access patterns.
Can Event ID 4890 help detect malware or unauthorized access attempts?+
Yes, Event ID 4890 is valuable for detecting malicious activity and unauthorized access. Malware often generates distinctive 4890 patterns when accessing system files, registry keys, or attempting to inject into processes. Look for unusual access patterns such as non-standard processes accessing sensitive system directories, high-frequency access attempts from single processes, or access to typically unused system objects. Correlate 4890 events with process creation events (4688) to identify suspicious executable behavior. Monitor for access attempts to security-related registry keys, system configuration files, or user credential stores. Establish baselines of normal object access patterns and alert on deviations. The event's rich metadata enables correlation with threat intelligence feeds and behavioral analysis to identify advanced persistent threats and insider threats.
What's the difference between Event ID 4890 and other object access events like 4656 and 4663?+
Event ID 4890, 4656, and 4663 represent different stages of the Windows object access lifecycle. Event 4890 occurs when a handle to an object is requested - this is the initial attempt to access. Event 4656 fires when a handle is successfully opened, indicating the access request was granted. Event 4663 logs when the object is actually accessed or used through the opened handle. This sequence provides complete audit trail: 4890 (request) → 4656 (handle opened) → 4663 (object accessed) → 4658 (handle closed). For comprehensive monitoring, analyze all these events together. Event 4890 is useful for detecting access attempts even if they fail, while 4663 shows successful data access. The combination helps distinguish between reconnaissance attempts and actual data exfiltration.
How do I troubleshoot missing Event ID 4890 events when I expect them to be generated?+
Missing 4890 events typically result from incorrect audit policy configuration or insufficient permissions. First, verify that object access auditing is enabled using 'auditpol /get /category:"Object Access"' - ensure relevant subcategories show 'Success and Failure'. Check that Advanced Audit Policy Configuration is being used rather than legacy audit policies, as they can conflict. Verify that System Access Control Lists (SACLs) are properly configured on target objects using 'icacls filename /audit'. Confirm the Security log isn't full or being cleared frequently. Check Group Policy application with 'gpresult /r' to ensure audit policies are applied correctly. Verify that the account generating the events has 'Generate security audits' privilege. Test with a simple file access scenario first, then expand to more complex objects. Remember that some system processes may be excluded from auditing by default for performance reasons.
Documentation

References (2)

1
Microsoft Learn - Advanced Security Audit PoliciesComprehensive guide to configuring advanced audit policies including object access auditing and Event ID 4890 generation.https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policies
2
Microsoft Security Compliance ToolkitOfficial toolkit containing security baselines and audit policy recommendations for Windows systems.https://www.microsoft.com/en-us/download/details.aspx?id=55319
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4890#security-auditing#object-access

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...