ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Security Event Viewer displaying audit policy events on a professional monitoring dashboard
Event ID 4964InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4964 – Microsoft-Windows-Security-Auditing: Object Access Audit Policy Changed

Event ID 4964 logs when object access audit policy settings are modified on Windows systems, indicating changes to file, folder, or registry auditing configuration.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 4964Microsoft-Windows-Security-Auditing 5 methods 9 min
Event Reference

What This Event Means

Event ID 4964 represents a critical component of Windows security auditing infrastructure. When this event fires, it indicates that someone or something has modified the object access audit policy settings that determine which file, folder, registry, and other object access attempts get logged to the Security event log.

The event contains detailed information about the policy change, including the previous policy state, the new policy state, and the security context under which the change occurred. This granular tracking helps security administrators understand exactly what changed and who initiated the modification.

Object access auditing policies control whether Windows logs successful access attempts, failed access attempts, or both for various object types. These policies are fundamental to security monitoring because they determine the visibility into resource access patterns. Without proper object access auditing, organizations lose critical forensic capabilities and compliance evidence.

The event typically occurs during Group Policy refresh cycles, manual policy changes through Local Security Policy console, or programmatic modifications using tools like auditpol.exe. In enterprise environments, this event often correlates with scheduled Group Policy updates or administrative maintenance windows.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Administrator manually changing audit policy through Local Security Policy console
  • Group Policy Object (GPO) updates modifying audit policy settings
  • Command-line tools like auditpol.exe being used to modify audit configuration
  • PowerShell scripts or automation tools changing audit policy programmatically
  • Security software or compliance tools adjusting audit settings
  • System restore operations reverting audit policy changes
  • Domain controller policy replication updating local audit settings
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of the Event ID 4964 occurrence to understand what changed.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4964 using the Filter Current Log option
  4. Double-click the most recent Event ID 4964 entry to view details
  5. Review the General tab for policy change information including:
    • Subject Security ID (who made the change)
    • Previous Policy State
    • New Policy State
    • Process Information
  6. Check the Details tab for XML view with complete event data
Pro tip: The event details show both the old and new audit policy states in hexadecimal format. Use the Windows audit policy documentation to decode these values.
02

Query Events with PowerShell

Use PowerShell to retrieve and analyze Event ID 4964 occurrences with filtering and formatting capabilities.

  1. Open PowerShell as Administrator
  2. Query recent Event ID 4964 entries:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4964} -MaxEvents 20 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
  3. Get detailed information for specific events:
    $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4964} -MaxEvents 10
foreach ($Event in $Events) {
    $EventXML = [xml]$Event.ToXml()
    $EventData = $EventXML.Event.EventData.Data
    Write-Host "Time: $($Event.TimeCreated)"
    Write-Host "Subject: $($EventData | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text')"
    Write-Host "Previous Policy: $($EventData | Where-Object {$_.Name -eq 'PreviousPolicy'} | Select-Object -ExpandProperty '#text')"
    Write-Host "New Policy: $($EventData | Where-Object {$_.Name -eq 'NewPolicy'} | Select-Object -ExpandProperty '#text')"
    Write-Host "---"
}
  4. Export events to CSV for analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4964} | Select-Object TimeCreated, Id, LevelDisplayName, UserId, ProcessId, Message | Export-Csv -Path "C:\Temp\Event4964.csv" -NoTypeInformation
03

Check Current Audit Policy Configuration

Verify the current audit policy settings to understand the system's current configuration and compare with historical changes.

  1. Open Command Prompt as Administrator
  2. Display current audit policy settings:
    auditpol /get /category:*
  3. Focus on object access audit policies:
    auditpol /get /subcategory:"File System" /subcategory:"Registry" /subcategory:"Kernel Object" /subcategory:"SAM" /subcategory:"Certification Services" /subcategory:"Application Generated"
  4. Check Group Policy audit settings:
    Get-ItemProperty -Path "HKLM\SYSTEM\CurrentControlSet\Services\EventLog\Security" -Name "AuditBaseObjects"
  5. Review Local Security Policy settings by opening secpol.msc and navigating to Local PoliciesAudit Policy
  6. Compare current settings with the policy states recorded in Event ID 4964 to identify discrepancies
Warning: Audit policy changes can significantly impact system performance and log volume. Ensure adequate disk space and log retention policies are in place.
04

Investigate Group Policy Sources

Determine if the audit policy changes originated from Group Policy updates and identify the source GPO.

  1. Check Group Policy application events:
    Get-WinEvent -FilterHashtable @{LogName='System'; Id=1502,1503} -MaxEvents 20 | Where-Object {$_.TimeCreated -gt (Get-Date).AddHours(-24)}
  2. Review Group Policy processing for audit policy:
    Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-GroupPolicy/Operational'} -MaxEvents 50 | Where-Object {$_.Message -like "*audit*"}
  3. Use Group Policy Results to identify applied policies:
    gpresult /h C:\Temp\GPResult.html /f
  4. Check specific audit policy GPO settings:
    gpresult /z | findstr /i "audit"
  5. Review domain controller event logs if in domain environment:
    Get-WinEvent -ComputerName "DC01" -FilterHashtable @{LogName='Security'; Id=4719} -MaxEvents 10
  6. Examine GPO modification events on domain controllers:
    Get-WinEvent -ComputerName "DC01" -FilterHashtable @{LogName='Security'; Id=5136,5137,5141} | Where-Object {$_.Message -like "*audit*"}
05

Advanced Correlation and Forensic Analysis

Perform comprehensive analysis to correlate Event ID 4964 with other security events and identify potential security implications.

  1. Create a timeline of related security events:
    $StartTime = (Get-Date).AddDays(-7)
$Events = @()
$Events += Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4964; StartTime=$StartTime}
$Events += Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4719; StartTime=$StartTime}
$Events += Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4902; StartTime=$StartTime}
$Events | Sort-Object TimeCreated | Format-Table TimeCreated, Id, Message -Wrap
  2. Check for privilege escalation events around the same time:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4672,4673,4674} | Where-Object {$_.TimeCreated -gt $StartTime -and $_.TimeCreated -lt $StartTime.AddHours(1)}
  3. Analyze process creation events for audit policy tools:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} | Where-Object {$_.Message -like "*auditpol*" -or $_.Message -like "*secpol*"}
  4. Review registry access events for audit policy keys:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4657} | Where-Object {$_.Message -like "*CurrentControlSet\Control\Lsa\Audit*"}
  5. Generate comprehensive audit policy change report:
    $Report = @()
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4964} | ForEach-Object {
    $EventXML = [xml]$_.ToXml()
    $EventData = $EventXML.Event.EventData.Data
    $Report += [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        User = ($EventData | Where-Object {$_.Name -eq 'SubjectUserName'}).'#text'
        Domain = ($EventData | Where-Object {$_.Name -eq 'SubjectDomainName'}).'#text'
        ProcessName = ($EventData | Where-Object {$_.Name -eq 'ProcessName'}).'#text'
        PreviousPolicy = ($EventData | Where-Object {$_.Name -eq 'PreviousPolicy'}).'#text'
        NewPolicy = ($EventData | Where-Object {$_.Name -eq 'NewPolicy'}).'#text'
    }
}
$Report | Export-Csv -Path "C:\Temp\AuditPolicyChanges.csv" -NoTypeInformation
Pro tip: Correlate Event ID 4964 with logon events (4624/4625) to identify if policy changes occurred during suspicious login sessions.

Overview

Event ID 4964 fires when Windows detects changes to object access audit policy settings. This security audit event tracks modifications to auditing policies that control whether the system logs access attempts to files, folders, registry keys, and other securable objects. The event appears in the Security log whenever an administrator or automated process modifies audit policy settings through Group Policy, Local Security Policy, or command-line tools like auditpol.exe.

This event is crucial for security monitoring because object access auditing controls visibility into who accesses sensitive resources. Changes to these policies can indicate legitimate administrative actions or potential security policy tampering. The event captures both the old and new policy states, providing a complete audit trail of policy modifications.

Windows generates this event on domain controllers, member servers, and workstations when audit policy changes occur locally or through Group Policy application. Security teams rely on this event to track audit policy drift and ensure compliance with organizational security requirements.

Frequently Asked Questions

What does Event ID 4964 mean and why is it important?+
Event ID 4964 indicates that object access audit policy settings have been modified on the Windows system. This event is critical for security monitoring because it tracks changes to policies that control whether Windows logs access attempts to files, folders, registry keys, and other securable objects. These audit policies are fundamental to forensic capabilities and compliance requirements, so tracking their changes helps detect both legitimate administrative actions and potential security policy tampering.
How can I determine who changed the audit policy when Event ID 4964 appears?+
The Event ID 4964 details contain the Subject Security ID and Subject User Name fields that identify who made the change. You can find this information in Event Viewer by double-clicking the event and reviewing the General tab, or use PowerShell to extract the SubjectUserName and SubjectDomainName from the event data. Additionally, check for correlating events like 4688 (process creation) to see if tools like auditpol.exe were used, and review 4624 (logon) events to understand the authentication context.
Is Event ID 4964 normal to see in enterprise environments?+
Yes, Event ID 4964 is normal in enterprise environments, especially during Group Policy refresh cycles or scheduled maintenance windows. It commonly appears when Group Policy Objects containing audit policy settings are updated and applied to systems. However, unexpected occurrences outside of maintenance windows or changes made by unauthorized users should be investigated. The frequency depends on your organization's Group Policy update schedule and audit policy management practices.
What should I do if I see frequent Event ID 4964 occurrences?+
Frequent Event ID 4964 occurrences may indicate Group Policy processing issues, conflicting GPOs, or potential security concerns. First, correlate the events with Group Policy refresh cycles using Event ID 1502/1503 in the System log. Check if multiple GPOs are applying conflicting audit policies. Review the timing patterns - if changes occur outside normal maintenance windows, investigate the source. Use gpresult to identify which GPOs are applying audit policies and ensure they align with your security requirements. Consider implementing change control processes for audit policy modifications.
How can I prevent unauthorized changes to audit policies that trigger Event ID 4964?+
To prevent unauthorized audit policy changes, implement several security controls: restrict membership in groups with audit policy privileges (like Administrators and Backup Operators), use Group Policy to enforce audit policy settings from a central location, enable audit policy change monitoring through Event ID 4964 alerting, implement proper change management processes for GPO modifications, and consider using security baselines to maintain consistent audit configurations. Additionally, monitor for unusual patterns in Event ID 4964 occurrences and correlate them with other security events to detect potential policy tampering attempts.
Documentation

References (2)

1
Microsoft Security Auditing DocumentationComprehensive guide to Windows security auditing including audit policy configuration and event interpretationhttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/
2
Windows Security Log Events ReferenceOfficial Microsoft documentation covering security event IDs and their meaningshttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4964#security-auditing#audit-policy

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...