Object Access Event: 4657

Active Directory Auditing Tool

The Who, Where and When information is very important for an administrator to have complete knowledge of all activities that occur on their Active Directory. This helps them identify any desired / undesired activity happening. ADAudit Plus assists an administrator with this information in the form of reports. In real-time, ensure critical resources in the network like the Domain Controllers are audited, monitored and reported with the entire information on AD objects - Users, Groups, GPO, Computer, OU, DNS, AD Schema and Configuration changes with 200+ detailed event specific GUI reports and email alerts.

Object Access » Object Access Event: 4657

Event ID 4657 – A Registry Value Was Modified

Event ID 4657
Category Object Access
Sub-Category Audit Registry
Type Success Audit
Description A registry value was successfully modified.

If a registry key value is modified, then event ID 4657 is logged. A subtle note of importance is that it is triggered only if a key value is modified, not the key itself. Further, this event is logged only if the auditing feature is set for the registry key in its SACL.

This log data provides the following information:

  • Security ID
  • Account Name
  • Account Domain
  • Object Name
  • Object Value Name
  • Handle ID
  • Operation Type
  • Process ID
  • Process Name
  • Old Value Type
  • Old Value
  • New Value Type
  • New Value

Why does event ID 4657 need to be monitored?

  • To monitor unauthorized and restricted processes which change registry key values
  • To ensure that no critical or sensitive registry key is being modified
  • To monitor actions of high value accounts
  • To detect anomalies and malicious actions
  • To ensure non-active, external, and restricted accounts are not used
  • To ensure that only white-listed accounts perform certain specific actions
  • To enforce conventions and compliances

Pro Tip:

ADAudit Plus helps audit all Windows File Server and file share events, thus helping you meet your security, operational, and compliance needs with absolute ease.

Event 4657 applies to the following operating systems:

  • Windows 2008 R2 and 7
  • Windows 2012 R2 and 8.1
  • Windows 2016 and 10

Corresponding event in Windows 2003 and before: 567.

Explore Active Directory auditing and reporting with ADAudit Plus.

  •  
  •  
  •  
  • By clicking 'Schedule a personalized demo' you agree to processing of personal data according to the Privacy Policy.
Account Management Auditing
Active Directory Auditing
Windows Server Auditing