ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security monitoring dashboard showing Event Viewer with security audit logs and object access events
Event ID 5484InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 5484 – Microsoft-Windows-Security-Auditing: A handle to an object was requested

Event ID 5484 records when a process requests a handle to an object in Windows. This security audit event tracks object access attempts for compliance and security monitoring purposes.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 5484Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 5484 represents a fundamental component of Windows' security auditing infrastructure. When enabled, this event provides detailed tracking of object handle requests across the system. The event captures the security context of the requesting process, including the user account, process ID, and authentication details.

The event structure includes critical fields such as the Subject (who made the request), the Object (what was accessed), the Handle ID (unique identifier for the handle), and the Access Mask (specific permissions requested). This granular detail makes Event ID 5484 invaluable for security investigations, compliance reporting, and behavioral analysis of system processes.

Windows generates this event through the Local Security Authority (LSA) subsystem when object access auditing policies are configured. The event timing occurs at the moment a handle request is processed, before the actual object access takes place. This means you can detect access attempts even if they ultimately fail due to insufficient permissions.

In enterprise environments, Event ID 5484 serves as a cornerstone for detecting privilege escalation attempts, unauthorized file access, and suspicious process behavior. However, the high volume of these events requires careful filtering and analysis to extract meaningful security intelligence from the audit trail.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Process attempting to open a file handle with specific access rights
  • Application requesting access to registry keys under audit scope
  • Service or system process accessing monitored objects during normal operations
  • User-initiated file operations triggering object access auditing
  • Security software or antivirus engines scanning monitored directories
  • Backup software accessing files and folders under audit policy
  • Administrative tools accessing system objects for management tasks
  • Malicious processes attempting unauthorized object access
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of Event ID 5484 to understand the context of the object access request.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 5484 by right-clicking the Security log and selecting Filter Current Log
  4. Enter 5484 in the Event IDs field and click OK
  5. Double-click on a 5484 event to view detailed information including:
    • Subject: User account and process making the request
    • Object: Target object name and type
    • Handle ID: Unique identifier for the handle
    • Access Mask: Specific permissions requested
  6. Note the Process Name and Process ID to correlate with other events
  7. Check the Access Mask value to understand what permissions were requested
Pro tip: The Access Mask field uses hexadecimal values. Common values include 0x1 (read), 0x2 (write), 0x20 (execute), and 0x40000 (write DAC).
02

Filter Events Using PowerShell

Use PowerShell to efficiently filter and analyze Event ID 5484 occurrences with specific criteria.

  1. Open PowerShell as Administrator
  2. Query recent Event ID 5484 entries:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5484} -MaxEvents 50 | Select-Object TimeCreated, Id, LevelDisplayName, Message
  3. Filter events by specific process name:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5484} | Where-Object {$_.Message -like '*notepad.exe*'} | Select-Object TimeCreated, Message
  4. Search for events from a specific user account:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5484} | Where-Object {$_.Message -like '*DOMAIN\username*'} | Format-Table TimeCreated, Id -AutoSize
  5. Export filtered results to CSV for analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5484; StartTime=(Get-Date).AddHours(-24)} | Select-Object TimeCreated, Id, Message | Export-Csv -Path 'C:\temp\Event5484_Analysis.csv' -NoTypeInformation
  6. Count events by process name:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5484} | ForEach-Object {($_.Message -split '\n' | Select-String 'Process Name:').ToString().Split('\t')[-1]} | Group-Object | Sort-Object Count -Descending
Warning: Querying large numbers of security events can impact system performance. Use time filters and limit results when possible.
03

Configure Object Access Auditing Policy

Adjust the object access auditing policy to control when Event ID 5484 is generated and reduce noise.

  1. Open Group Policy Management Console or Local Group Policy Editor (gpedit.msc)
  2. Navigate to Computer ConfigurationWindows SettingsSecurity SettingsAdvanced Audit Policy ConfigurationObject Access
  3. Configure Audit File System policy:
    • Double-click Audit File System
    • Check Configure the following audit events
    • Select Success and/or Failure based on requirements
    • Click OK
  4. Set specific folder auditing using Advanced Security Settings:
    • Right-click the target folder and select Properties
    • Go to Security tab → AdvancedAuditing tab
    • Click Add to create new audit entry
    • Select principal (user/group) and configure access types to audit
  5. Apply policy changes:
    gpupdate /force
  6. Verify policy application:
    auditpol /get /subcategory:"File System"
Pro tip: Enable auditing only for critical directories to avoid log flooding. Consider using Global Object Access Auditing (GOAA) for centralized policy management.
04

Correlate with Process Creation Events

Cross-reference Event ID 5484 with process creation events to build a complete picture of system activity.

  1. Enable process creation auditing if not already configured:
    auditpol /set /subcategory:"Process Creation" /success:enable
  2. Query correlated events using PowerShell:
    # Get Event ID 5484 with process details
$ObjectAccess = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5484; StartTime=(Get-Date).AddHours(-1)}

# Get Process Creation events (4688)
$ProcessCreation = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688; StartTime=(Get-Date).AddHours(-1)}

# Correlate by Process ID
$ObjectAccess | ForEach-Object {
    $ProcessId = ($_.Message -split '\n' | Select-String 'Process ID:').ToString().Split('\t')[-1]
    $RelatedProcess = $ProcessCreation | Where-Object {$_.Message -like "*$ProcessId*"}
    if ($RelatedProcess) {
        Write-Output "Object Access: $($_.TimeCreated) - Process: $ProcessId"
        Write-Output "Process Creation: $($RelatedProcess.TimeCreated)"
    }
}
  3. Create a timeline analysis script:
    # Timeline correlation script
$Events = @()
$Events += Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688,5484; StartTime=(Get-Date).AddHours(-2)} | Select-Object TimeCreated, Id, Message
$Events | Sort-Object TimeCreated | Format-Table TimeCreated, Id -AutoSize
  4. Check for suspicious patterns:
    • Multiple handle requests from the same process in short timeframes
    • Unusual processes accessing sensitive directories
    • Handle requests with elevated access masks from non-administrative processes
  5. Export correlation data for further analysis:
    $CorrelatedEvents | Export-Csv -Path 'C:\temp\ProcessCorrelation.csv' -NoTypeInformation
05

Advanced Analysis with Custom Filtering

Implement advanced filtering and analysis techniques to identify security-relevant Event ID 5484 patterns.

  1. Create a custom PowerShell function for detailed analysis:
    function Analyze-Event5484 {
    param(
        [int]$Hours = 24,
        [string]$ProcessFilter = '*',
        [string]$ObjectFilter = '*'
    )
    
    $Events = Get-WinEvent -FilterHashtable @{
        LogName='Security'
        Id=5484
        StartTime=(Get-Date).AddHours(-$Hours)
    }
    
    $Analysis = $Events | ForEach-Object {
        $Message = $_.Message
        $ProcessName = ($Message -split '\n' | Select-String 'Process Name:').ToString().Split('\t')[-1]
        $ObjectName = ($Message -split '\n' | Select-String 'Object Name:').ToString().Split('\t')[-1]
        $AccessMask = ($Message -split '\n' | Select-String 'Access Mask:').ToString().Split('\t')[-1]
        
        [PSCustomObject]@{
            TimeCreated = $_.TimeCreated
            ProcessName = $ProcessName
            ObjectName = $ObjectName
            AccessMask = $AccessMask
            EventId = $_.Id
        }
    } | Where-Object {
        $_.ProcessName -like $ProcessFilter -and $_.ObjectName -like $ObjectFilter
    }
    
    return $Analysis
}
  2. Use the function to analyze specific patterns:
    # Analyze suspicious executable access
$SuspiciousAccess = Analyze-Event5484 -Hours 12 -ObjectFilter '*.exe'
$SuspiciousAccess | Group-Object ProcessName | Sort-Object Count -Descending

# Check for registry access patterns
$RegistryAccess = Analyze-Event5484 -Hours 6 -ObjectFilter '*\Registry\*'
$RegistryAccess | Format-Table TimeCreated, ProcessName, ObjectName -AutoSize
  3. Implement threshold-based alerting:
    # Alert on high-frequency access patterns
$ThresholdEvents = Analyze-Event5484 -Hours 1
$FrequentAccess = $ThresholdEvents | Group-Object ProcessName | Where-Object {$_.Count -gt 100}
if ($FrequentAccess) {
    Write-Warning "High frequency object access detected from: $($FrequentAccess.Name -join ', ')"
}
  4. Set up automated monitoring with Task Scheduler:
    • Create a PowerShell script with your analysis logic
    • Use Task Scheduler to run the script at regular intervals
    • Configure email alerts or log file outputs for detected anomalies
  5. Review and tune filtering rules based on baseline behavior:
    # Establish baseline patterns
$Baseline = Analyze-Event5484 -Hours 168 | Group-Object ProcessName, ObjectName | Sort-Object Count -Descending
$Baseline | Select-Object Name, Count | Export-Csv -Path 'C:\temp\Event5484_Baseline.csv'
Warning: High-volume Event ID 5484 logging can significantly impact system performance and log storage. Implement retention policies and consider using Windows Event Forwarding for centralized collection.

Overview

Event ID 5484 is a security audit event generated by the Windows Security subsystem when a process requests a handle to an object. This event fires as part of Windows' object access auditing mechanism, which tracks attempts to access files, registry keys, processes, and other system objects. The event captures detailed information about the requesting process, the target object, and the access rights being requested.

This event is particularly valuable for security administrators monitoring unauthorized access attempts, compliance auditing, and forensic investigations. It fires when object access auditing is enabled through Group Policy and a process attempts to obtain a handle to a monitored object. The event provides granular visibility into which processes are accessing what resources and with what permissions.

You'll find these events in the Security log, and they can generate significant volume on busy systems. Understanding how to filter and analyze Event ID 5484 is crucial for effective security monitoring without overwhelming your log analysis tools with excessive noise.

Frequently Asked Questions

What does Event ID 5484 mean and when should I be concerned?+
Event ID 5484 indicates that a process has requested a handle to an object (file, registry key, etc.) in Windows. You should be concerned when you see unusual patterns such as non-administrative processes accessing sensitive system files, high-frequency access attempts from unknown processes, or access requests with elevated permissions that don't match normal application behavior. The event itself is informational and part of normal system operation, but anomalous patterns can indicate security threats or misconfigurations.
How can I reduce the volume of Event ID 5484 without losing security visibility?+
To reduce Event ID 5484 volume while maintaining security oversight, configure selective object access auditing through Group Policy. Focus auditing on critical directories like System32, Program Files, and sensitive data folders rather than auditing all file system access. Use Global Object Access Auditing (GOAA) to apply centralized policies, and implement filtering at the collection level using Windows Event Forwarding subscriptions. Consider auditing only 'Failure' events for broad monitoring and 'Success' events for specific high-value targets.
What information is contained in the Access Mask field of Event ID 5484?+
The Access Mask field in Event ID 5484 contains a hexadecimal value representing the specific permissions requested for the object handle. Common values include: 0x1 (FILE_READ_DATA), 0x2 (FILE_WRITE_DATA), 0x4 (FILE_APPEND_DATA), 0x20 (FILE_EXECUTE), 0x80 (FILE_READ_ATTRIBUTES), 0x40000 (WRITE_DAC - modify permissions), and 0x80000 (WRITE_OWNER). Multiple permissions are combined using bitwise OR operations. Understanding these values helps determine whether the access request is legitimate or potentially suspicious.
Can Event ID 5484 help detect malware or unauthorized access attempts?+
Yes, Event ID 5484 is valuable for detecting malware and unauthorized access. Look for patterns such as: processes accessing multiple sensitive files in rapid succession, unknown executables requesting handles to system directories, processes with suspicious names accessing configuration files, or access attempts with unusual permission combinations. Correlate these events with process creation (Event ID 4688) and logon events to build a complete attack timeline. However, effective detection requires establishing baseline behavior and implementing proper filtering to avoid false positives.
How do I correlate Event ID 5484 with other Windows security events for investigation?+
Correlate Event ID 5484 with other security events using Process ID, user account, and timestamps. Key correlations include: Event ID 4688 (process creation) to identify when suspicious processes started, Event ID 4624/4625 (logon events) to track user context, Event ID 4656 (handle requested) for additional object access details, and Event ID 4658 (handle closed) to see the complete access lifecycle. Use PowerShell to extract Process IDs and timestamps, then cross-reference across event logs. Tools like Windows Event Forwarding and SIEM solutions can automate this correlation for enterprise environments.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events and configurationhttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Advanced Security Audit Policy SettingsOfficial documentation for configuring advanced audit policies in Windowshttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-5484#security-auditing#object-access

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...