ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security monitoring dashboard displaying Event ID 4907 object access audit logs in a professional SOC environment
Event ID 4907InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4907 – Microsoft-Windows-Security-Auditing: A handle to an object was requested

Event ID 4907 logs when a process requests a handle to a system object. This security audit event tracks object access attempts for compliance and security monitoring purposes.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4907Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 4907 represents a fundamental component of Windows' security auditing infrastructure. When enabled, this event provides granular visibility into object access patterns across the system. The event captures the moment when a process requests a handle to access a system object, regardless of whether the access is ultimately granted or denied.

The event contains rich metadata including the process ID, thread ID, user account context, object name, object type, and the specific access rights being requested. This information enables security teams to build comprehensive access patterns and identify potential security violations or policy breaches.

In Windows Server 2025 and Windows 11 24H2, Microsoft enhanced the event structure to include additional context about the requesting application and improved correlation with other security events. The event integrates seamlessly with Windows Defender Advanced Threat Protection (ATP) and Microsoft Sentinel for advanced threat detection scenarios.

Organizations typically see high volumes of Event ID 4907 when object access auditing is enabled, making proper filtering and analysis tools essential for effective monitoring. The event is particularly valuable when investigating data exfiltration attempts, privilege escalation, or unauthorized system modifications.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Process attempting to open a file handle for read, write, or execute operations
  • Application requesting access to registry keys for configuration or data storage
  • Service or driver requesting handles to system objects like processes or threads
  • Security software performing system scans and accessing protected objects
  • User applications accessing network shares or mapped drives
  • System maintenance tools accessing system files or directories
  • Backup software requesting access to files and folders
  • Antivirus engines scanning files and requesting object handles
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of Event ID 4907 to understand the access request context.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4907 by right-clicking the Security log and selecting Filter Current Log
  4. In the filter dialog, enter 4907 in the Event IDs field and click OK
  5. Double-click on a 4907 event to view detailed information including:
    • Subject: User account making the request
    • Object: Target object name and type
    • Process Information: Process ID and name
    • Access Request Information: Requested access rights
  6. Note the Object Name field to identify which specific object was accessed
  7. Check the Access Mask value to understand the type of access requested
Pro tip: Use the Details tab in XML view for programmatic parsing of event data.
02

Query Events with PowerShell

Use PowerShell to efficiently query and analyze Event ID 4907 occurrences across time ranges.

  1. Open PowerShell as Administrator
  2. Query recent Event ID 4907 entries:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4907} -MaxEvents 50 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
  3. Filter events by specific time range:
    $StartTime = (Get-Date).AddHours(-24)
$EndTime = Get-Date
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4907; StartTime=$StartTime; EndTime=$EndTime}
  4. Extract specific event properties for analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4907} -MaxEvents 100 | ForEach-Object {
    $Event = [xml]$_.ToXml()
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        ProcessName = $Event.Event.EventData.Data | Where-Object {$_.Name -eq 'ProcessName'} | Select-Object -ExpandProperty '#text'
        ObjectName = $Event.Event.EventData.Data | Where-Object {$_.Name -eq 'ObjectName'} | Select-Object -ExpandProperty '#text'
        SubjectUserName = $Event.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
    }
}
  5. Export results to CSV for further analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4907} -MaxEvents 1000 | Export-Csv -Path "C:\Temp\Event4907_Analysis.csv" -NoTypeInformation
Warning: Large queries may impact system performance. Use -MaxEvents parameter to limit results.
03

Configure Object Access Auditing Policy

Properly configure auditing policies to ensure Event ID 4907 captures relevant security events without overwhelming the system.

  1. Open Local Group Policy Editor by running gpedit.msc
  2. Navigate to Computer ConfigurationWindows SettingsSecurity SettingsAdvanced Audit Policy ConfigurationAudit PoliciesObject Access
  3. Configure the following policies:
    • Audit File System: Set to Success and Failure for comprehensive monitoring
    • Audit Registry: Enable for registry access monitoring
    • Audit Handle Manipulation: Enable to track handle operations
  4. Apply specific auditing to critical objects using auditpol.exe:
    auditpol /set /subcategory:"File System" /success:enable /failure:enable
auditpol /set /subcategory:"Registry" /success:enable /failure:enable
auditpol /set /subcategory:"Handle Manipulation" /success:enable /failure:enable
  5. Configure SACL (System Access Control List) on specific files or folders:
    $Path = "C:\Sensitive\Data"
$AccessRule = New-Object System.Security.AccessControl.FileSystemAuditRule("Everyone", "FullControl", "ContainerInherit,ObjectInherit", "None", "Success,Failure")
$ACL = Get-Acl $Path
$ACL.SetAuditRule($AccessRule)
Set-Acl -Path $Path -AclObject $ACL
  6. Verify current audit policy settings:
    auditpol /get /category:"Object Access"
Pro tip: Start with selective auditing on critical objects before enabling system-wide auditing to manage log volume.
04

Analyze Access Patterns and Correlate Events

Perform advanced analysis to identify suspicious access patterns and correlate Event ID 4907 with other security events.

  1. Create a PowerShell script to analyze access patterns:
    # Analyze Event 4907 patterns
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4907} -MaxEvents 5000
$Analysis = $Events | ForEach-Object {
    $Event = [xml]$_.ToXml()
    $EventData = $Event.Event.EventData.Data
    [PSCustomObject]@{
        Time = $_.TimeCreated
        User = ($EventData | Where-Object {$_.Name -eq 'SubjectUserName'}).'#text'
        Process = ($EventData | Where-Object {$_.Name -eq 'ProcessName'}).'#text'
        Object = ($EventData | Where-Object {$_.Name -eq 'ObjectName'}).'#text'
        AccessMask = ($EventData | Where-Object {$_.Name -eq 'AccessMask'}).'#text'
    }
}

# Group by user and process to identify patterns
$UserPatterns = $Analysis | Group-Object User | Sort-Object Count -Descending
$ProcessPatterns = $Analysis | Group-Object Process | Sort-Object Count -Descending

Write-Host "Top Users by Access Requests:"
$UserPatterns | Select-Object Name, Count | Format-Table

Write-Host "Top Processes by Access Requests:"
$ProcessPatterns | Select-Object Name, Count | Format-Table
  2. Correlate with failed logon events (Event ID 4625):
    # Find potential correlation between failed logons and object access
$FailedLogons = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} -MaxEvents 1000
$ObjectAccess = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4907} -MaxEvents 1000

# Analyze time correlation (within 5 minutes)
$Correlations = foreach ($Logon in $FailedLogons) {
    $LogonTime = $Logon.TimeCreated
    $RelatedAccess = $ObjectAccess | Where-Object {
        $_.TimeCreated -gt $LogonTime.AddMinutes(-5) -and
        $_.TimeCreated -lt $LogonTime.AddMinutes(5)
    }
    if ($RelatedAccess) {
        [PSCustomObject]@{
            FailedLogonTime = $LogonTime
            RelatedAccessCount = $RelatedAccess.Count
            AccessEvents = $RelatedAccess
        }
    }
}
  3. Set up automated monitoring with Windows Task Scheduler:
    # Create monitoring script
$ScriptPath = "C:\Scripts\Monitor4907.ps1"
$ScriptContent = @'
$RecentEvents = Get-WinEvent -FilterHashtable @{LogName="Security"; Id=4907; StartTime=(Get-Date).AddMinutes(-15)}
if ($RecentEvents.Count -gt 100) {
    Write-EventLog -LogName Application -Source "Security Monitor" -EventId 1001 -EntryType Warning -Message "High volume of Event ID 4907 detected: $($RecentEvents.Count) events in last 15 minutes"
}
'@
$ScriptContent | Out-File -FilePath $ScriptPath -Encoding UTF8

# Register scheduled task
Register-ScheduledTask -TaskName "Monitor Event 4907" -Trigger (New-ScheduledTaskTrigger -RepetitionInterval (New-TimeSpan -Minutes 15) -Once -At (Get-Date)) -Action (New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File $ScriptPath")
05

Implement Advanced Filtering and SIEM Integration

Configure advanced filtering and integrate Event ID 4907 with Security Information and Event Management (SIEM) systems for enterprise monitoring.

  1. Create custom XML filters for Event Viewer:
    <QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
      *[System[EventID=4907]] and
      *[EventData[Data[@Name='ObjectName'] and (contains(., 'C:\Sensitive') or contains(., 'HKLM\SOFTWARE\Company'))]]
    </Select>
  </Query>
</QueryList>
  2. Configure Windows Event Forwarding (WEF) for centralized collection:
    wecutil cs C:\Config\4907-Subscription.xml
    Where the subscription XML includes:
    <Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
    <SubscriptionId>Event4907Collection</SubscriptionId>
    <Description>Collect Event ID 4907 from domain computers</Description>
    <Query><![CDATA[
        <QueryList>
            <Query Id="0">
                <Select Path="Security">Event[System[EventID=4907]]</Select>
            </Query>
        </QueryList>
    ]]></Query>
</Subscription>
  3. Export events for SIEM ingestion using PowerShell:
    # Export to JSON for SIEM consumption
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4907} -MaxEvents 1000
$JsonOutput = $Events | ForEach-Object {
    $Event = [xml]$_.ToXml()
    $EventData = @{}
    $Event.Event.EventData.Data | ForEach-Object {
        $EventData[$_.Name] = $_.'#text'
    }
    [PSCustomObject]@{
        Timestamp = $_.TimeCreated.ToString('yyyy-MM-ddTHH:mm:ss.fffZ')
        EventId = $_.Id
        Level = $_.LevelDisplayName
        Computer = $_.MachineName
        EventData = $EventData
    }
} | ConvertTo-Json -Depth 3

$JsonOutput | Out-File -FilePath "C:\Logs\Event4907_$(Get-Date -Format 'yyyyMMdd_HHmmss').json" -Encoding UTF8
  4. Configure log rotation and retention policies:
    # Set Security log size and retention
$LogName = "Security"
$MaxSize = 1GB
$Retention = "OverwriteOlder"
$RetentionDays = 90

Limit-EventLog -LogName $LogName -MaximumSize $MaxSize -OverflowAction $Retention -RetentionDays $RetentionDays
  5. Create alerting rules for suspicious patterns:
    # Alert on unusual access patterns
$Threshold = 50
$TimeWindow = 10 # minutes
$RecentEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4907; StartTime=(Get-Date).AddMinutes(-$TimeWindow)}

if ($RecentEvents.Count -gt $Threshold) {
    $AlertMessage = "SECURITY ALERT: Unusual object access activity detected. $($RecentEvents.Count) Event ID 4907 occurrences in the last $TimeWindow minutes."
    Write-EventLog -LogName Application -Source "Security Monitor" -EventId 2001 -EntryType Warning -Message $AlertMessage
    
    # Send email notification (configure SMTP settings)
    Send-MailMessage -To "security@company.com" -From "monitoring@company.com" -Subject "Security Alert: High Object Access Volume" -Body $AlertMessage -SmtpServer "smtp.company.com"
}
Warning: High-volume Event ID 4907 logging can impact system performance and storage. Implement proper filtering and log management strategies.

Overview

Event ID 4907 fires when a process requests a handle to a system object such as a file, registry key, process, or thread. This event is part of Windows' object access auditing framework and appears in the Security log when object access auditing is enabled through Group Policy or local security policy. The event captures critical details including the requesting process, target object, access rights requested, and the security context under which the request was made.

This event is essential for security monitoring, compliance auditing, and forensic investigations. It helps administrators track which processes are accessing sensitive system objects and can reveal unauthorized access attempts or suspicious behavior patterns. The event fires before the actual access occurs, making it valuable for real-time security monitoring and access control validation.

Understanding Event ID 4907 is crucial for environments requiring detailed audit trails, such as financial institutions, healthcare organizations, or any environment subject to regulatory compliance requirements like SOX, HIPAA, or PCI-DSS.

Frequently Asked Questions

What does Event ID 4907 mean and when does it occur?+
Event ID 4907 indicates that a process has requested a handle to a system object such as a file, registry key, process, or thread. This event occurs whenever object access auditing is enabled and a process attempts to access an audited object. The event fires before the actual access occurs, providing early visibility into access attempts. It's generated by the Windows Security Auditing subsystem and appears in the Security event log. The event includes details about the requesting process, target object, user context, and specific access rights being requested.
How can I reduce the volume of Event ID 4907 logs without losing security visibility?+
To manage Event ID 4907 volume effectively, implement selective auditing strategies. First, audit only critical objects by configuring System Access Control Lists (SACLs) on specific files, folders, or registry keys rather than enabling system-wide auditing. Use Group Policy to target auditing policies to specific organizational units or computer groups. Configure custom XML filters in Event Viewer to focus on high-priority events. Implement log forwarding to centralize events and use retention policies to manage storage. Consider auditing only 'Failure' events for some objects to catch unauthorized access attempts while reducing successful access noise.
What's the difference between Event ID 4907 and other object access events like 4656?+
Event ID 4907 specifically tracks handle requests to objects, while Event ID 4656 logs when a handle to an object is requested with more detailed access information. Event 4656 includes the actual access mask and whether the request was successful or failed. Event ID 4658 logs when a handle is closed, and Event ID 4660 indicates an object was deleted. Event 4907 is more focused on the initial handle request phase, making it useful for tracking access patterns and potential reconnaissance activities. For comprehensive object access monitoring, these events work together to provide a complete audit trail.
Can Event ID 4907 help detect security threats and how?+
Yes, Event ID 4907 is valuable for threat detection when properly analyzed. It can reveal reconnaissance activities where attackers probe system objects to understand the environment. Unusual access patterns, such as a single user or process accessing many objects in a short timeframe, may indicate malicious activity. Correlating Event 4907 with failed authentication events can identify potential privilege escalation attempts. The event helps detect data exfiltration by monitoring access to sensitive files or directories. Advanced threat detection involves analyzing access patterns, timing correlations, and comparing against baseline behavior to identify anomalies that warrant investigation.
How do I troubleshoot missing Event ID 4907 entries when I expect them to be logged?+
Missing Event ID 4907 entries typically indicate auditing policy issues. First, verify that object access auditing is enabled in Group Policy under Advanced Audit Policy Configuration > Object Access > Audit Handle Manipulation. Check that the specific objects have appropriate System Access Control Lists (SACLs) configured using 'icacls' or PowerShell. Ensure the Security log has sufficient space and isn't being overwritten too quickly. Verify that the user account has the 'Generate security audits' privilege. Use 'auditpol /get /category:"Object Access"' to confirm current audit settings. Test with a known object and process to validate the auditing configuration is working correctly.
Documentation

References (2)

1
Microsoft Learn - Windows Security AuditingComprehensive guide to Windows security auditing including object access events and audit policy configuration.https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/
2
Advanced Security Audit Policy SettingsDetailed documentation on configuring advanced audit policies for object access monitoring and Event ID 4907.https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4907#security-auditing#object-access

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...