Share via

Event Log 4663 Process ID Issue

Ilya Kantor 0 Reputation points
2024-01-22T23:42:24.7133333+00:00

We have observed a consistent occurrence of process ID 0x4 in the event logs, particularly associated with Event ID 4663 (file and folder access auditing). Notably, this issue seems to occur exclusively with Active Directory accounts. Despite efforts to configure the system to run all programs as user-level processes, the process IDs in the event logs remain at 0x4, indicating system-level processes.

It doesn't depend which program was launched (administrator/user permissions) - in every log there is 0x4 instead of real process ID. There should be real process ID as in Task Manager or in the 4689 event (Process Termination).

In local users it appears how it's supposed to.

Steps Taken: We have undertaken the following steps in an attempt to resolve the issue:

  1. Modified the "User Account Control: Run all administrators in Admin Approval Mode" policy to "Disabled" to ensure that administrators run with the full administrative token.
  2. Checked and adjusted service accounts, scheduled tasks, and programs to run under specific user accounts rather than system accounts.
  3. Verified audit settings and logon types to ensure proper configuration for capturing user-level process information.
  4. Reviewed other security policies that might affect process identification and access auditing.
  5. Considered enabling Advanced Auditing features to provide more granular control over auditing settings.

These configurations were applied through Group Policy Objects (GPOs) to ensure consistency across the domain. Version of the Windows: Windows Server 2022, latest updates.

Please tell me how to fix it to receive real process ID instead of 0x4 with Event ID 4663 on domain users User's image

Windows for business | Windows Server | User experience | Other
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-01-23T03:39:58.1933333+00:00

    Hello Ilya Kantor,

    Thank you for posting in Q&A forum.

    Each process running in Windows is assigned a unique decimal number called the process ID (PID). This number is used in a number of ways, for example to specify the process when attaching a debugger to it. https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/finding-the-process-id You can find a process ID using the methods in the link below. https://www.windowscentral.com/how-find-out-application-process-id-windows-10 I hope the information above is helpful. If you have any question or concern, please feel free to let us know. Best Regards,
    Daisy Zhou

    ---If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments
  2. Daniel Alejandro Rivera Dominguez 415 Reputation points Microsoft External Staff
    2024-01-25T10:33:45.98+00:00

    That Event ID means there is an unathorized access attempt to a domain resource. That PID is an absense of a PID, likely indicating some kind of Network information process. The Kernel handle process object is used for both process handles and process/thread IDs. It happens that handle values all start a 0x4, and the InitialSystemProcess is the first process to be created, so it gets a PID of 4. Idle process isn't actually a process and you can't open it. It probably doesn't have a real PID so it will never be converted to a "real" PID.

    Explanation here: https://learn.microsoft.com/en-us/windows-hardware/drivers/debuggercmds/-handle

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.