Event ID - 594

Event Id594
SourceSecurity
DescriptionA handle to an object has been duplicated:
      Source Handle ID: < Source Handle ID>
      Source Process ID: < Source Process ID>
      Target Handle ID: < Target Handle ID>
      Target Process ID: < Target Process ID>     

Event InformationAccording to Microsoft:
Cause :
This event record indicates that a handle has been duplicated for the same or less access than previously granted. This audit event is only generated if the handle being duplicated caused an audit event record to be displayed when created. If the duplication is for more access than the source handle has been granted, the duplication is treated as an object open and an Object Open audit record is generated instead of a Duplicate Handle audit record. If the source handle is closed, a separate Handle Closed audit record is generated. Windows 2000 does not support duplication of protected server objects.
Note:
Handle Duplication audit records always refer to kernel objects.
Reference LinksEvent ID 594 from Source Security

Alternate Event ID in Vista and Windows Server 2008 is 4690.

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.
 Refresh