Audit Kernel Object

Applies To: Windows 7, Windows Server 2008 R2

This security policy setting allows you to audit attempts to access the system kernel, which include mutexes and semaphores. Only kernel objects with a matching system access control list (SACL) generate security audit events.

Note

The Audit: Audit the access of global system objects policy setting controls the default SACL of kernel objects.

The audits generated are usually only useful to developers.

Typically kernel objects are given SACLs only if the AuditBaseObjects or AuditBaseDirectories auditing options are enabled.

Event volume: High if you have enabled one of the Global Object Access Auditing settings

Default setting: Not configured

If this policy setting is configured, the following events are generated. The events appear on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.

Event ID Event message

4659

A handle to an object was requested with intent to delete.

4660

An object was deleted.

4661

A handle to an object was requested.

4663

An attempt was made to access an object.