Event ID 4663ObjectAccessP2
Windows Event ID 4663: An attempt was made to access an object
Event ID 4663 records access to an audited file, registry key, or other securable object.
- Applicable version
- Windows Server 2008 R2 and later; Windows 7 and later
- Last reviewed
- 2026-07-11
Trigger Scenarios
It fires only when the target has an SACL and the requested access matches the audit policy.
Key Fields
Object Name
The audited file or registry path.
Access Mask
0x2 is write data, 0x10000 is DELETE, and 0x40000 is WRITE_DAC; interpret it with Object Type.
Process Name
The process requesting access, essential for distinguishing users from tools.
Common False Positives
- File servers and applications create substantial expected access noise.
- Backup and antivirus products request broad rights.
Related Events
MITRE ATT&CK Mapping
- T1005Data from Local System
Detection Notes
Use 4663 for T1005 collection when Object Name matches sensitive shares or local data and Access Mask includes 0x1 read data or 0x2 write data from an unusual Process Name. Access Mask 0x10000 on a large set of files can support ransomware or cleanup investigation.
SecurityEvent
| where EventID == 4663
| project TimeGenerated, Computer, Account, ObjectName, AccessMask, ProcessNameindex=wineventlog EventCode=4663 | table _time, host, SubjectUserName, Object_Name, Access_Mask, Process_NameObject Name: C:\Finance\payroll.xlsx
Access Mask: 0x1
Process Name: C:\Windows\System32\cmd.exe