4656 A handle to an object was requested

Written when specific access rights are requested for a file, registry, or kernel object. It shows whether the request was granted, but not that the operation was actually performed.

Overview

The subcategories are Audit File System, Audit Kernel Object, Audit Registry, and Audit Removable Storage. It is generated only if the object’s SACL (System Access Control List: the setting that defines which accesses are audited) has a matching audit entry. If access is denied, a Failure event is produced. You learn the result of the request, but check 4663 to confirm the operation was actually carried out.

How it is triggered

• A request to open (obtain a handle to) a file, folder, or registry key configured for auditing.
• The requested rights appear in AccessMask / AccessList (read, write, delete, and so on).

Security review points

• Check the source (Subject) and process (Process Name) of access requests to sensitive files or registry keys. Failure (denied) events in particular are a sign that an account without permission tried to touch something.
• Infer intent from which rights were requested (AccessMask). Requests for delete, write, or take-ownership are higher priority.
• Since this is the “request” stage, follow the request-to-execution flow by combining it with the actual-operation 4663 and the deletion 4660.

Notes for log review

• It only appears for targets with a SACL set. Without narrowing the audited targets it becomes enormous; narrow too far and you see nothing. The design assumes SACLs only on important assets.
• Handle acquisition appears in volume ahead of real access. Read-only access and known legitimate processes tend to be noise, so filter by target and rights.

Key fields

Glossary

• SACL (System Access Control List) — the setting on an object that defines which accesses are written to the audit log. Without it, access events are not recorded.

References

• Microsoft Learn: 4656(S, F) A handle to an object was requested.