4691 Indirect access to an object was requested
Written when indirect access to an object is requested. It is generated mainly for access requests to ALPC ports (an inter-process communication mechanism).
Overview
The subcategory is Audit Other Object Access Events. It is generated for actions such as access requests to ALPC (Advanced Local Procedure Call: an inter-process communication mechanism within one machine) ports. It represents access being requested indirectly rather than by taking a handle directly.
How it is triggered
- When access to an ALPC port is requested.
- It is recorded in environments where the relevant audit (Other Object Access) is enabled.
Security review points
- ALPC is used for communication among many system services. An access request to a particular service port by an unexpected process can be notable in the context of service abuse or privilege escalation.
- Its standalone security meaning is limited. Check the requesting process and target, and read it together with other object-access events.
Notes for log review
- ALPC access occurs in volume during normal operation. Do not make it an always-on monitoring target; narrow it for specific investigations.
- Learn the normal patterns of target port and requesting process, and watch for deviations.
Key fields
| Field | Meaning |
|---|---|
Object Name | The target (an ALPC port, etc.) |
Subject\Account Name | The requesting account |
Process Name | The requesting process |
Glossary
- ALPC (Advanced Local Procedure Call) — a channel for services inside Windows to communicate quickly with one another.