none
Windows 10 Security Event log full of malformed (mostly 4656) events. RRS feed

  • Question

  • After filtering the undesirable object access events (those generated by the system or that cannot be tied to a user), I end up with something like the following events (displayed sanitized below) in Event Viewer.

    This event is not displayed correctly because the underlying XML is not well formed. Below is the raw text of the event.

    <event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><system><provider guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" name="Microsoft-Windows-Security-Auditing"><eventid>4656</eventid><version>1</version><level>0</level><task>12800</task><opcode>0</opcode><keywords>0x8020000000000000</keywords><timecreated systemtime="2016-09-13T05:33:32.227478700Z"><eventrecordid>402803495</eventrecordid><correlation><execution processid="4" threadid="3988"><channel>Security</channel><computer>Desktop</computer><security></security></execution></correlation></timecreated></provider></system><eventdata><data name="SubjectUserSid">S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxxx</data><data name="SubjectUserName">GJahchan</data><data name="SubjectDomainName">DESKTOP</data><data name="SubjectLogonId">0x18d6fc</data><data name="ObjectServer">Security</data><data name="ObjectType">FileC</data><data name="ObjectName">:\Users\xxxxxxxx\xxxxxxx\xxxxxxxxx\xxxxxxxx\xxxxxxxxxxxx\xxxxxxxxxxx</data><data name="HandleId">0x11f4</data><data name="TransactionId">{00000000-0000-0000-0000-000000000000}</data><data name="AccessList">%%1538 %%1541 %%4416 %%4419 %%4423 </data><data name="AccessReason">%%1538: %%1804 %%1541: %%1801 D:(A;ID;FA;;;S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxxx) %%4416: %%1801 D:(A;ID;FA;;;S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxxx) %%4419: %%1801 D:(A;ID;FA;;䍲롆�-5-21-xxxxxxxxxx픂㊉퀀�뀂량�ବᨥ</data><data name="AccessMask">0xb62f0000</data><data name="PrivilegeList">+</data><data name="RestrictedSidCount">3473408</data><data name="ProcessId">0x358003100330039</data><data name="ProcessName"></data><data name="ResourceAttributes">�</data></eventdata></event>

    Is this a problem that is particular to my Windows 10 setup, or I have stumbled on a nasty bug?

    Can anyone replicate what I am experiencing?

    Tuesday, September 13, 2016 6:56 AM

Answers

  • Hello

    The Event ID 4656 indicates that A handle to an object was requested.
    https://technet.microsoft.com/en-us/library/dd772626(v=ws.10).aspx
    If you would like to get rid of these Audit failures 4656, we need to run the following command in an elevated CMD prompt.
    auditpol /set /subcategory:"Handle Manipulation" /failure:disable

    Maybe you could run “SFC/SCANNOW” command to scan and restore system components.
    Also, according to the created time of Event ID 4656, we could verify whether there are any related events recorded in Event View with the same time of Event ID 4656.


    Regards, Regin Ravi

    Tuesday, September 13, 2016 7:43 AM
  • Hi,

    Kindly go the following path in group policy editor

    Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Object Access > Audit Handle Manipulation

    Switched this setting to No auditing

    Note: This behavior will turn off all Auditing.

    There is an official documentation introduces this 4656 event, refer to it for more information.

    https://technet.microsoft.com/en-us/library/dd772626%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    In addition, run DISM command to repair system image.

    Dism /Online /Cleanup-Image /RestoreHealth

    Have a try.

    Regards


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 14, 2016 6:03 AM
    Moderator

All replies

  • Hello

    The Event ID 4656 indicates that A handle to an object was requested.
    https://technet.microsoft.com/en-us/library/dd772626(v=ws.10).aspx
    If you would like to get rid of these Audit failures 4656, we need to run the following command in an elevated CMD prompt.
    auditpol /set /subcategory:"Handle Manipulation" /failure:disable

    Maybe you could run “SFC/SCANNOW” command to scan and restore system components.
    Also, according to the created time of Event ID 4656, we could verify whether there are any related events recorded in Event View with the same time of Event ID 4656.


    Regards, Regin Ravi

    Tuesday, September 13, 2016 7:43 AM
  • Hi,

    Kindly go the following path in group policy editor

    Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Object Access > Audit Handle Manipulation

    Switched this setting to No auditing

    Note: This behavior will turn off all Auditing.

    There is an official documentation introduces this 4656 event, refer to it for more information.

    https://technet.microsoft.com/en-us/library/dd772626%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    In addition, run DISM command to repair system image.

    Dism /Online /Cleanup-Image /RestoreHealth

    Have a try.

    Regards


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 14, 2016 6:03 AM
    Moderator
  • Of course, I search online for you, this article is worth reading, please notice What To Do here

    https://community.sophos.com/kb/en-US/121675

    Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Regards


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 14, 2016 6:06 AM
    Moderator