{
	"id": "4cac24be-1a88-4746-a968-72f0381ab31f",
	"created_at": "2026-04-06T00:13:19.225212Z",
	"updated_at": "2026-04-10T13:12:32.152354Z",
	"deleted_at": null,
	"sha1_hash": "9e20a9a18f156c0c2b0d3852a9563b7e2114c0bf",
	"title": "4657(S) A registry value was modified. - Windows 10",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 149118,
	"plain_text": "4657(S) A registry value was modified. - Windows 10\r\nBy vinaypamnani-msft\r\nArchived: 2026-04-05 16:25:44 UTC\r\nSubcategory: Audit Registry\r\nEvent Description:\r\nThis event generates when a registry key value was modified. It doesn’t generate when a registry key was\r\nmodified.\r\nhttps://docs.microsoft.com/windows/security/threat-protection/auditing/event-4657\r\nPage 1 of 6\n\nThis event generates only if “Set Value\" auditing is set in registry key’s SACL.\nNote For recommendations, see Security Monitoring Recommendations for this event.\nEvent XML:\n- - 4657001280100x8020000000000000744725SecurityDC01.contoso.local - S-1-5-21-3457937927-2839227994-823803824-1104 dadmin CONTOSO 0x364eb \\\\REGISTRY\\\\MACHINE Name\\_New 0x54 %%1905 %%1873 %%1873 Andrei 0xce4 C:\\\\Windows\\\\regedit.exe Required Server Roles: None.\nMinimum OS Version: Windows Server 2008, Windows Vista.\nEvent Versions: 0.\nhttps://docs.microsoft.com/windows/security/threat-protection/auditing/event-4657\nPage 2 of 6\n\nField Descriptions:\r\nSubject:\r\nSecurity ID [Type = SID]: SID of account that requested the “modify registry value” operation. Event\r\nViewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you\r\nwill see the source data in the event.\r\nNote  A security identifier (SID) is a unique value of variable length used to identify a trustee (security\r\nprincipal). Each account has a unique SID that is issued by an authority, such as an Active Directory\r\ndomain controller, and stored in a security database. Each time a user logs on, the system retrieves the\r\nSID for that user from the database and places it in the access token for that user. The system uses the\r\nSID in the access token to identify the user in all subsequent interactions with Windows security. When\r\na SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify\r\nanother user or group. For more information about SIDs, see Security identifiers.\r\nAccount Name [Type = UnicodeString]: the name of the account that requested the “modify registry\r\nvalue” operation.\r\nAccount Domain [Type = UnicodeString]: subject’s domain or computer name. Formats vary, and include\r\nthe following:\r\nDomain NETBIOS name example: CONTOSO\r\nLowercase full domain name: contoso.local\r\nUppercase full domain name: CONTOSO.LOCAL\r\nFor some well-known security principals, such as LOCAL SERVICE or ANONYMOUS LOGON,\r\nthe value of this field is “NT AUTHORITY”.\r\nFor local user accounts, this field will contain the name of the computer or device that this account\r\nbelongs to, for example: “Win81”.\r\nLogon ID [Type = HexInt64]: hexadecimal value that can help you correlate this event with recent events\r\nthat might contain the same Logon ID, for example, “4624: An account was successfully logged on.”\r\nObject:\r\nObject Name [Type = UnicodeString]: full path and name of the registry key which value was modified.\r\nThe format is: \\REGISTRY\\HIVE\\PATH where:\r\nHIVE:\r\nHKEY_LOCAL_MACHINE = \\REGISTRY\\MACHINE\r\nHKEY_CURRENT_USER = \\REGISTRY\\USER\\[USER_SID], where [USER_SID] is the\r\nSID of current user.\r\nhttps://docs.microsoft.com/windows/security/threat-protection/auditing/event-4657\r\nPage 3 of 6\n\nHKEY_CLASSES_ROOT = \\REGISTRY\\MACHINE\\SOFTWARE\\Classes\r\nHKEY_USERS = \\REGISTRY\\USER\r\nHKEY_CURRENT_CONFIG =\r\n\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Hardware Profiles\\Current\r\nPATH – path to the registry key.\r\nObject Value Name [Type = UnicodeString]: the name of modified registry key value.\r\nHandle ID [Type = Pointer]: hexadecimal value of a handle to Object Name. This field can help you\r\ncorrelate this event with other events that might contain the same Handle ID, for example, “4656: A handle\r\nto an object was requested.” This parameter might not be captured in the event, and in that case appears as\r\n“0x0”.\r\nOperation Type [Type = UnicodeString]: the type of performed operation with registry key value. Most\r\ncommon operations are:\r\nNew registry value created\r\nRegistry value deleted\r\nExisting registry value modified\r\nProcess Information:\r\nProcess ID [Type = Pointer]: hexadecimal Process ID of the process through which the registry key value\r\nwas modified. Process ID (PID) is a number used by the operating system to uniquely identify an active\r\nprocess. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID\r\ncolumn):\r\nhttps://docs.microsoft.com/windows/security/threat-protection/auditing/event-4657\r\nPage 4 of 6\n\nIf you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.\r\nYou can also correlate this process ID with a process ID in other events, for example, “4688: A new\r\nprocess has been created” Process Information\\New Process ID.\r\nProcess Name [Type = UnicodeString]: full path and the name of the executable for the process.\r\nChange Information:\r\nOld Value Type [Type = UnicodeString]: old type of changed registry key value. Registry key value types:\r\nValue Type Description\r\nREG_SZ String\r\nREG_BINARY Binary\r\nREG_DWORD DWORD (32-bit) Value\r\nREG_QWORD QWORD (64-bit) Value\r\nREG_MULTI_SZ Multi-String Value\r\nREG_EXPAND_SZ Expandable String Value\r\nOld Value [Type = UnicodeString]: old value for changed registry key value.\r\nNew Value Type [Type = UnicodeString]: new type of changed registry key value. See table above for\r\npossible values.\r\nhttps://docs.microsoft.com/windows/security/threat-protection/auditing/event-4657\r\nPage 5 of 6\n\nNew Value [Type = UnicodeString]: new value for changed registry key value.\r\nSecurity Monitoring Recommendations\r\nFor 4657(S): A registry value was modified.\r\nImportant  For this event, also see Appendix A: Security monitoring recommendations for many audit\r\nevents.\r\nIf you have a pre-defined “Process Name” for the process reported in this event, monitor all events with\r\n“Process Name” not equal to your defined value.\r\nYou can monitor to see if “Process Name” is not in a standard folder (for example, not in System32 or\r\nProgram Files) or is in a restricted folder (for example, Temporary Internet Files).\r\nIf you have a pre-defined list of restricted substrings or words in process names (for example, “mimikatz”\r\nor “cain.exe”), check for these substrings in “Process Name.”\r\nIf Object Name is a sensitive or critical registry key for which you need to monitor any modification of its\r\nvalues, monitor all 4657 events.\r\nIf Object Name has specific values (Object Value Name) and you need to monitor modifications of these\r\nvalues, monitor for all 4657 events.\r\nSource: https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4657\r\nhttps://docs.microsoft.com/windows/security/threat-protection/auditing/event-4657\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4657"
	],
	"report_names": [
		"event-4657"
	],
	"threat_actors": [],
	"ts_created_at": 1775434399,
	"ts_updated_at": 1775826752,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9e20a9a18f156c0c2b0d3852a9563b7e2114c0bf.pdf",
		"text": "https://archive.orkl.eu/9e20a9a18f156c0c2b0d3852a9563b7e2114c0bf.txt",
		"img": "https://archive.orkl.eu/9e20a9a18f156c0c2b0d3852a9563b7e2114c0bf.jpg"
	}
}