ANAVEM
EnglishFrancais
ANAVEM
Languagefr
System administrator analyzing Windows kernel events and symbolic link creation logs on multiple monitoring displays
Event ID 4912InformationMicrosoft-Windows-Kernel-GeneralWindows

Windows Event ID 4912 – Microsoft-Windows-Kernel-General: Object Manager Symbolic Link Creation

Event ID 4912 logs when the Windows Object Manager creates symbolic links in the kernel namespace, typically during system startup or driver initialization processes.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 4912Microsoft-Windows-Kernel-General 5 methods 9 min
Event Reference

What This Event Means

The Windows Object Manager maintains a unified namespace for all kernel objects including devices, drivers, sections, and other system resources. Symbolic links in this namespace provide indirection layers that allow objects to be referenced by multiple names or provide compatibility mappings between different naming conventions.

Event ID 4912 specifically tracks the creation of these kernel symbolic links, which differs from filesystem symbolic links. These kernel-level symbolic links are created through the ZwCreateSymbolicLinkObject system call and are essential for proper device driver operation and system resource management.

The event data includes the symbolic link name (typically in the format \??\DeviceName or \Global??\DeviceName), the target object path, and security context information. This information proves valuable for system administrators monitoring kernel namespace changes, security professionals investigating potential privilege escalation attempts, and developers debugging driver installation issues.

In Windows 11 2026 updates, Microsoft enhanced the logging detail to include additional process context and improved correlation with related kernel events, making it easier to track the complete lifecycle of kernel object operations during system troubleshooting scenarios.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Device driver initialization creating symbolic links for hardware access
  • System startup processes establishing kernel object namespace mappings
  • Application installation requiring kernel-level device access
  • Windows service startup creating necessary kernel object references
  • Virtual device creation by virtualization software or containers
  • Security software installing kernel-mode components with symbolic link requirements
  • System restore operations recreating kernel namespace structures
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific event details to understand which symbolic link was created and by which process.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSystem
  3. Filter for Event ID 4912 by right-clicking the System log and selecting Filter Current Log
  4. Enter 4912 in the Event IDs field and click OK
  5. Double-click on a 4912 event to view detailed information including:
    • Symbolic link name and target path
    • Process ID and security context
    • Timestamp correlation with other system events
Pro tip: Look for patterns in the symbolic link names - device-related links often follow the \??\DeviceName format while global namespace links use \Global??\ObjectName.
02

Query Events with PowerShell for Pattern Analysis

Use PowerShell to analyze multiple 4912 events and identify patterns or anomalies in symbolic link creation.

  1. Open PowerShell as Administrator
  2. Query recent Event ID 4912 entries:
    Get-WinEvent -FilterHashtable @{LogName='System'; Id=4912} -MaxEvents 50 | Select-Object TimeCreated, Id, LevelDisplayName, Message
  3. For more detailed analysis, extract specific event data:
    $events = Get-WinEvent -FilterHashtable @{LogName='System'; Id=4912} -MaxEvents 100
$events | ForEach-Object {
    $xml = [xml]$_.ToXml()
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        ProcessId = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'ProcessId'} | Select-Object -ExpandProperty '#text'
        SymbolicLinkName = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'SymbolicLinkName'} | Select-Object -ExpandProperty '#text'
        TargetName = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetName'} | Select-Object -ExpandProperty '#text'
    }
} | Format-Table -AutoSize
  4. Export results for further analysis:
    $events | Export-Csv -Path "C:\Temp\Event4912_Analysis.csv" -NoTypeInformation
Warning: High volumes of 4912 events during normal operation are expected. Focus on unusual patterns or events occurring outside normal system startup timeframes.
03

Correlate with Process and Driver Activity

Cross-reference Event ID 4912 with process creation and driver loading events to understand the complete context.

  1. Enable additional logging if not already active:
    wevtutil sl Microsoft-Windows-Kernel-General/Analytic /e:true
  2. Query correlated events around the same timeframe:
    # Get 4912 events with surrounding context
$startTime = (Get-Date).AddHours(-1)
$endTime = Get-Date

# Query multiple event sources
$kernelEvents = Get-WinEvent -FilterHashtable @{
    LogName='System'
    Id=4912,7034,7035,7036
    StartTime=$startTime
    EndTime=$endTime
} | Sort-Object TimeCreated
  3. Check for driver loading events that might correlate:
    Get-WinEvent -FilterHashtable @{
    LogName='System'
    Id=219  # Driver loading events
    StartTime=$startTime
    EndTime=$endTime
}
  4. Review process creation events from Security log (if audit policy enabled):
    Get-WinEvent -FilterHashtable @{
    LogName='Security'
    Id=4688  # Process creation
    StartTime=$startTime
    EndTime=$endTime
} -ErrorAction SilentlyContinue

This correlation helps identify whether symbolic link creation is part of legitimate system operations or potentially suspicious activity.

04

Monitor Kernel Object Namespace Changes

Use advanced tools to monitor the kernel object namespace and understand the impact of symbolic link creation.

  1. Download and run WinObj from Microsoft Sysinternals:
    # Download WinObj (ensure you get it from official Microsoft source)
Invoke-WebRequest -Uri "https://live.sysinternals.com/Winobj.exe" -OutFile "C:\Tools\Winobj.exe"
  2. Launch WinObj to browse the kernel object namespace and locate recently created symbolic links
  3. Use Process Monitor (ProcMon) to track object access patterns:
    # Download ProcMon
Invoke-WebRequest -Uri "https://live.sysinternals.com/Procmon.exe" -OutFile "C:\Tools\Procmon.exe"
  4. Configure ProcMon filters to show only object manager operations:
    • Set Process and Thread Activity to Show
    • Add filter: Operation contains CreateFile
    • Add filter: Path begins with \??\ or \Global??\
  5. For programmatic monitoring, use WMI to track object creation:
    Register-WmiEvent -Query "SELECT * FROM Win32_SystemTrace WHERE EventType = 'ObjectCreate'" -Action {
    $Event = $Event.SourceEventArgs.NewEvent
    Write-Host "Object created: $($Event.ObjectName) at $($Event.TimeCreated)"
}
Pro tip: The \??\ prefix indicates the local device namespace, while \Global??\ indicates the global namespace visible to all sessions.
05

Advanced ETW Tracing for Kernel Object Operations

Implement Event Tracing for Windows (ETW) to capture detailed kernel object manager operations including symbolic link creation.

  1. Create an ETW trace session for kernel object operations:
    # Start ETW trace for Object Manager
logman create trace "ObjectManagerTrace" -p "Microsoft-Windows-Kernel-General" 0xFFFFFFFF 0xFF -o C:\Traces\ObjectManager.etl -ets
  2. Configure additional providers for comprehensive tracking:
    # Add kernel process provider
logman update trace "ObjectManagerTrace" -p "Microsoft-Windows-Kernel-Process" 0xFFFFFFFF 0xFF -ets

# Add file system provider for device access correlation
logman update trace "ObjectManagerTrace" -p "Microsoft-Windows-Kernel-File" 0xFFFFFFFF 0xFF -ets
  3. Let the trace run during the period when 4912 events occur, then stop it:
    logman stop "ObjectManagerTrace" -ets
  4. Analyze the ETW trace using Windows Performance Analyzer (WPA) or convert to readable format:
    # Convert ETL to CSV for analysis
tracerpt C:\Traces\ObjectManager.etl -o C:\Traces\ObjectManager.csv -of CSV
  5. Parse the trace data for symbolic link operations:
    # PowerShell script to parse relevant events
$traceData = Import-Csv "C:\Traces\ObjectManager.csv"
$symbolicLinkEvents = $traceData | Where-Object {
    $_.EventName -like "*SymbolicLink*" -or 
    $_.EventName -like "*ObjectCreate*"
} | Select-Object TimeStamp, ProcessName, EventName, Details
Warning: ETW tracing can generate large amounts of data and may impact system performance. Use targeted providers and time-limited sessions for production systems.

Overview

Event ID 4912 fires when the Windows Object Manager creates symbolic links within the kernel's object namespace. This event is part of the Microsoft-Windows-Kernel-General provider and appears in the System log during normal system operations. The Object Manager maintains a hierarchical namespace for kernel objects, and symbolic links provide redirection mechanisms similar to filesystem shortcuts but at the kernel level.

These events typically occur during system startup when drivers initialize and create necessary symbolic links for device access, or when applications request kernel object symbolic link creation through documented APIs. The event contains details about the symbolic link name, target object, and the process responsible for the creation request.

While this is an informational event indicating normal kernel operations, monitoring these events helps track kernel namespace changes and can assist in troubleshooting device driver issues or security investigations involving kernel object manipulation. System administrators often see clusters of these events during boot sequences or when installing new hardware drivers.

Frequently Asked Questions

What does Event ID 4912 mean and is it normal to see these events?+
Event ID 4912 indicates that the Windows Object Manager has created a symbolic link in the kernel namespace. This is completely normal and occurs regularly during system startup, driver initialization, and when applications request kernel-level device access. These events are informational and indicate proper system operation. You'll typically see clusters of these events during boot sequences or when installing new hardware drivers.
How can I determine which process or driver is creating symbolic links?+
The Event ID 4912 details include process context information. Use PowerShell to extract this data: Get-WinEvent -FilterHashtable @{LogName='System'; Id=4912} and examine the event XML data for ProcessId and security context. Cross-reference the ProcessId with Task Manager or Process Explorer to identify the specific application or service. You can also correlate these events with Event ID 4688 (process creation) from the Security log if process auditing is enabled.
Should I be concerned about high volumes of Event ID 4912?+
High volumes during system startup or driver installation are normal. However, continuous high-frequency 4912 events during steady-state operation might indicate a misbehaving driver or application repeatedly creating and destroying symbolic links. Monitor the symbolic link names and target paths - legitimate system operations typically create predictable device-related links (\??\DeviceName format), while unusual or random-looking names might warrant investigation.
Can Event ID 4912 help with troubleshooting device driver issues?+
Yes, Event ID 4912 is valuable for driver troubleshooting. When drivers fail to load or devices aren't recognized, check if the expected symbolic links are being created. Missing 4912 events for specific device types during startup might indicate driver installation problems. Compare the symbolic link names and targets with known working systems to identify discrepancies. The event timing also helps correlate driver loading sequences with device availability.
How do I filter Event ID 4912 to focus on specific devices or applications?+
Use PowerShell with custom filtering based on the symbolic link names or target paths. For example, to focus on USB devices: Get-WinEvent -FilterHashtable @{LogName='System'; Id=4912} | Where-Object {$_.Message -like '*USB*'}. You can also filter by process ID if you know which application you're investigating. For ongoing monitoring, create a custom Event Viewer view with XML filtering to show only 4912 events matching specific criteria like symbolic link name patterns or time ranges.
Documentation

References (2)

1
Microsoft Learn - Windows Event LoggingOfficial documentation covering Windows event logging architecture and Event ID interpretationhttps://learn.microsoft.com/en-us/windows/win32/eventlog/event-logging
2
Microsoft Docs - Object Manager RoutinesTechnical reference for Windows Object Manager operations and symbolic link creation APIshttps://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/_kernel/#object-manager-routines
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4912#kernel-events#object-manager

Related Windows Events

Windows Event Viewer showing system time change events on a monitoring dashboard
Event 11708
Microsoft-Windows-Kernel-General
Windows EventInformation

Windows Event ID 11708 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 11708 indicates the system time was changed, either manually by a user or automatically by time synchronization services. Critical for security auditing and troubleshooting time-related issues.

March 189 min
Windows Event Viewer displaying system time change events on a professional monitoring dashboard
Event 5889
Microsoft-Windows-Kernel-General
Windows EventInformation

Windows Event ID 5889 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 5889 indicates the system time was changed, either manually by a user or automatically by time synchronization services. This event helps track time modifications for security and audit purposes.

March 1812 min
Windows Event Viewer showing system time change events on a monitoring dashboard
Event 5121
Microsoft-Windows-Kernel-General
Windows EventInformation

Windows Event ID 5121 – Microsoft-Windows-Kernel-General: System Time Change Detected

Event ID 5121 fires when Windows detects a system time change, either manual adjustment or automatic synchronization. Critical for security auditing and troubleshooting time-related issues.

March 1812 min
System administrator analyzing Windows kernel errors and event logs on multiple monitoring displays
Event 5058
Microsoft-Windows-Kernel-General
Windows EventError

Windows Event ID 5058 – Microsoft-Windows-Kernel-General: Key File Operation Failure

Event ID 5058 indicates a critical kernel-level file operation failure, typically involving system files, registry hives, or security databases that Windows cannot access or modify properly.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...