Windows Event ID 4663 - Object Access Attempted
Records when an attempt is made to access an object (file, registry key, etc.) with a System Access Control List (SACL). Essential for tracking access to sensitive files, detecting data exfiltration, and monitoring for unauthorized access attempts
Quick Facts
Default Path (Linux)
N/A (Windows Event Forwarding to SIEM)Default Format
Windows Event Log (EVTX)
JSON Native
No
Rotation
Windows Event Log settings (default 20MB)
Log Example
Default format: Windows Event Log Format
Example Log Entrylog
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2/1/2026 10:45:22 AM
Event ID: 4663
Task Category: File System
Level: Information
Keywords: Audit Success
User: N/A
Computer: FILESERVER01.corp.local
Description:
An attempt was made to access an object.
Subject:
Security ID: S-1-5-21-1234567890-1234567890-1234567890-1001
Account Name: jsmith
Account Domain: CORP
Logon ID: 0x12345678
Object:
Object Server: Security
Object Type: File
Object Name: C:\Confidential\Financials\Q4Report.xlsx
Handle ID: 0x5678
Process Information:
Process ID: 0x1234
Process Name: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
Access Request Information:
Accesses: ReadData (or ListDirectory)
Access Mask: 0x1Structure:
XML-based binary format with structured EventData fieldsPaths by Platform
Available Formats
Windows Event Log Format
Default
Example:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2/1/2026 10:45:22 AM
Event ID: 4663
Task Category: File System
Level: Information
Keywords: Audit Success
User: N/A
Computer: FILESERVER01.corp.local
Description:
An attempt was made to access an object.
Subject:
Security ID: S-1-5-21-1234567890-1234567890-1234567890-1001
Account Name: jsmith
Account Domain: CORP
Logon ID: 0x12345678
Object:
Object Server: Security
Object Type: File
Object Name: C:\Confidential\Financials\Q4Report.xlsx
Handle ID: 0x5678
Process Information:
Process ID: 0x1234
Process Name: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
Access Request Information:
Accesses: ReadData (or ListDirectory)
Access Mask: 0x1Structure:
XML-based binary format with structured EventData fieldsXML Format
Example:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}"/>
<EventID>4663</EventID>
<TimeCreated SystemTime="2026-02-01T10:45:22.123456789Z"/>
<Computer>FILESERVER01.corp.local</Computer>
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-21-1234567890-1234567890-1234567890-1001</Data>
<Data Name="SubjectUserName">jsmith</Data>
<Data Name="SubjectDomainName">CORP</Data>
<Data Name="SubjectLogonId">0x12345678</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">C:\Confidential\Financials\Q4Report.xlsx</Data>
<Data Name="HandleId">0x5678</Data>
<Data Name="AccessMask">0x1</Data>
<Data Name="ProcessId">0x1234</Data>
<Data Name="ProcessName">C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE</Data>
</EventData>
</Event>Structure:
Native XML representation of the eventJSON (Winlogbeat/NXLog)
Example:
{
"event_id": 4663,
"log_name": "Security",
"computer_name": "FILESERVER01.corp.local",
"time_created": "2026-02-01T10:45:22.123Z",
"event_data": {
"SubjectUserName": "jsmith",
"SubjectDomainName": "CORP",
"ObjectType": "File",
"ObjectName": "C:\\Confidential\\Financials\\Q4Report.xlsx",
"AccessMask": "0x1",
"ProcessName": "C:\\Program Files\\Microsoft Office\\root\\Office16\\EXCEL.EXE"
}
}Structure:
Structured JSON from log forwardersFields Reference
| Field | Type | Description | Example |
|---|---|---|---|
EventID | integer | Event identifier (always 4663 for object access attempted) | 4663 |
TimeCreated | datetime | Timestamp of the access attempt | 2026-02-01T10:45:22.123Z |
Computer | string | Computer where the object was accessed | FILESERVER01.corp.local |
SubjectUserName | string | Account that accessed the object | jsmith |
ObjectType | string | Type of object accessed | File |
ObjectName | string | Full path of the accessed object | C:\Confidential\Financials\Q4Report.xlsx |
AccessMask | string | Hexadecimal access mask | 0x1 |
ProcessName | string | Process that accessed the object | C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE |
Parsing Patterns
Grok Patterns
xml:
<Data Name="SubjectUserName">%{DATA:subject_user}</Data>.*<Data Name="ObjectName">%{DATA:object_name}</Data>.*<Data Name="ProcessName">%{DATA:process_name}</Data>Regular Expressions
xml:
SubjectUserName">(?P<subject_user>[^<]+)</Data>.*ObjectName">(?P<object_name>[^<]+)</Data>.*ProcessName">(?P<process_name>[^<]+)</Data>Collector Configurations
splunkyaml
1# Access to sensitive folders2index=wineventlog EventCode=4663 ObjectType=File (ObjectName="*Confidential*" OR ObjectName="*Finance*")3| table _time, SubjectUserName, ObjectName, AccessMask, ProcessName, Computer45# Mass file access (potential data exfiltration)6index=wineventlog EventCode=4663 ObjectType=File7| bin _time span=5m8| stats dc(ObjectName) as files_accessed by _time, SubjectUserName, Computer9| where files_accessed > 100Configuration
Enable Logging
Enable file system object access auditing and configure SACL on target folders
# Enable auditing
auditpol /set /subcategory:"File System" /success:enable
# Configure SACL on folder (PowerShell)
$acl = Get-Acl "C:\Confidential"
$rule = New-Object System.Security.AccessControl.FileSystemAuditRule("Everyone","Read,Write,Delete","ContainerInherit,ObjectInherit","None","Success")
$acl.AddAuditRule($rule)
Set-Acl "C:\Confidential" $aclLog To Syslog
Forward via Windows Event Forwarding (WEF)
# Include in WEF subscription with filtering for high-value pathsUse Cases
File access tracking
Monitor who accesses specific files
SubjectUserName
ObjectName
TimeCreated
Troubleshooting
Tested On
vWindows Server 2022 on Windows Server 2022
admin - 2026-02-01
Last updated: 2026-02-01 by admin
1 contributor
Community Discussions
Help improve this documentation
Found an error or want to add more examples? Contributions are welcome!