Windows Event ID 4907: Auditing settings on object were changed
Windows Security Event ID 4907 records a change to the SACL auditing settings on a file or registry object.
- Applicable version
- Windows Server 2008 and later where the audit subcategory is enabled
- Last reviewed
- 2026-07-13
Trigger Scenarios
Microsoft documents that this event is generated when an object SACL changes and does not generate for Active Directory objects.
Key Fields
Object Server / Object Type / Object Name
Identifies the object whose auditing settings changed; file and registry paths are the primary investigation pivots.
OldSd / NewSd
Original and new SDDL strings for the object auditing settings.
Process ID / Process Name
The process through which the SACL change occurred.
Common False Positives
- Security baseline deployment and audit policy hardening can legitimately change SACLs.
- Administrators may update auditing on sensitive folders during compliance work.
Related Events
MITRE ATT&CK Mapping
- T1562.002Impair Defenses: Disable Windows Event Logging
Detection Notes
Alert when Object Name is C:\Windows\System32, C:\ProgramData\, C:\Users\Public, or a critical registry key and NewSd removes SACL audit entries such as SA/FA that were present in OldSd. Microsoft documents 4907 as object SACL-change telemetry and excludes Active Directory objects; removing auditing from high-value file or registry paths impairs evidence collection and supports T1562.002 Disable Windows Event Logging. Correlate Process ID to 4688 and compare with 4670 permission changes.
SecurityEvent
| where EventID == 4907
| project TimeGenerated, Computer, Account, ObjectName, OldSd, NewSd, ProcessNameindex=wineventlog EventCode=4907 | table _time, host, Account_Name, Object_Name, OldSd, NewSd, Process_NameEventID: 4907
Object Type: File
Object Name: C:\ProgramData\SecurityAgent\logs
OldSd: S:(AU;SAFA;FA;;;WD)
NewSd: S:NO_ACCESS_CONTROL
Process Name: C:\Windows\System32\icacls.exe