4985 The state of a transaction has changed
An informational event written when a file system transaction’s state changes. It reflects the internal state of file operations that use transactions (TxF).
Overview
The subcategories include Audit File System (and privilege-use ones). It is an informational event in which the file system Transaction Manager (KTM/TxF) reports a transaction state change. It reflects the internal workings of the mechanism that commits/rolls back multiple file operations together.
How it is triggered
- When a transaction’s state (begin, commit, rollback, etc.) changes in a transactional file operation.
Security review points
- It is basically an informational event with low standalone security value. Use it mainly to understand the behavior of transactional file operations (e.g. some installers).
- In the context of file-access auditing, it is supplementary information to read together with access events on the target object (such as 4663).
Notes for log review
- As an informational event it can appear in volume. Rather than using it for detection alone, treat it as a supplement to the flow of file operations.
Key fields
| Field | Meaning |
|---|---|
| Transaction ID | The transaction in question |
| State | The state after the change |
Glossary
- TxF / KTM — a Windows mechanism that can commit/roll back multiple file operations as a single transaction.