SOC Event Lookup
Event ID 4663ObjectAccessP2

Windows Event ID 4663: An attempt was made to access an object

Event ID 4663 records access to an audited file, registry key, or other securable object.

Applicable version
Windows Server 2008 R2 and later; Windows 7 and later
Last reviewed
2026-07-11

Trigger Scenarios

It fires only when the target has an SACL and the requested access matches the audit policy.

Key Fields

Object Name

The audited file or registry path.

Access Mask

0x2 is write data, 0x10000 is DELETE, and 0x40000 is WRITE_DAC; interpret it with Object Type.

Process Name

The process requesting access, essential for distinguishing users from tools.

Common False Positives

  • File servers and applications create substantial expected access noise.
  • Backup and antivirus products request broad rights.

Related Events

MITRE ATT&CK Mapping

  • T1005Data from Local System

Detection Notes

Use 4663 for T1005 collection when Object Name matches sensitive shares or local data and Access Mask includes 0x1 read data or 0x2 write data from an unusual Process Name. Access Mask 0x10000 on a large set of files can support ransomware or cleanup investigation.

Microsoft Sentinel KQL
SecurityEvent
| where EventID == 4663
| project TimeGenerated, Computer, Account, ObjectName, AccessMask, ProcessName
Splunk SPL
index=wineventlog EventCode=4663 | table _time, host, SubjectUserName, Object_Name, Access_Mask, Process_Name
Sample Log
Object Name: C:\Finance\payroll.xlsx
Access Mask: 0x1
Process Name: C:\Windows\System32\cmd.exe

Source