4658 The handle to an object was closed
Written when a handle to an object is closed. It carries little meaning on its own; it is a supporting event for knowing how long a handle was open (its hold time).
Overview
The subcategories are Audit File System, Audit Handle Manipulation, Audit Kernel Object, Audit Registry, and Audit Removable Storage. It is generated when the handle to a file, registry, or kernel object is closed. It is recorded only if Success auditing for Audit Handle Manipulation is enabled.
How it is triggered
- When a handle opened by 4656 (handle request) / 4661 is closed.
- It ties to the corresponding open event via
Handle ID.
Security review points
- It has almost no security meaning on its own. Use it paired with the corresponding 4656 when you want to know a handle’s hold time.
- In investigating access to sensitive objects, it is material that completes the “when opened, when closed” picture.
Notes for log review
- Enabling Audit Handle Manipulation records a huge number of handle closes and is very noisy. Normally do not leave it on; enable it narrowly for specific investigations.
- Do not alert on it alone; treat it as a supplement to actual-access events such as 4656/4663.
Key fields
| Field | Meaning |
|---|---|
Handle ID | The closed handle; the key for matching the open side |
Object Name / Object Type | The target object |
Process Name | The process that closed the handle |