Home
Resources
Training
About Us
eStore

>

resources > security log resource center > encyclopedia > event 564

 

 

 

 

 

 

 

Latest Blog: Log monitoring and the Terry Childs/City of San Francisco debacle

  

Windows Security Log Events by ID

look up more events by Event ID or Category

Event ID

564

Title

Object Deleted
Type: Example: Randy's Comments:
Success

OS:

All versions

Category:

Object Access

Object Deleted:
Object Server:Security
Handle ID:1468
Process ID:1688

Windows Server 2003 adds this field:

Image File Name:C:\WINDOWS\system32\notepad.exe

When an object for which successful delete access has been enabled for auditing, Event 564 is logged upon actual deletion. To determine the name of the object deleted look for a prior event 560 with the same handle ID. Normally event 560 and event 564 will be in close proximity but it is theoretically possible for a process to open an object (560) for delete access and then actually delete it much later. See event 560 for further information.

Next:

Get all the tools you need in one newsletter!
Free log parser scripts, clear explanations of Microsoft's latest security bulletins, and more. View a sample issue.
Email Address:
Your email address will not be shared. You may unsubscribe at any time.


Upcoming Webinars by Randy Franklin Smith

IT Audit: Understanding Active Directory Structure and How It Makes Auditing AD Different

Security Log Secrets: Auditing Unauthorized, Unrecognized Software

Filling the Gap in Windows Configuration Baselining


Additional Links

A
D
V

NEW! GFI EventsManager 8 Extends Event Management Capabilities. Find Out More.

Get Randy's Security Log Resource Kit


Ultimate Windows Security is a division of Monterey Technology Group, Inc. ©2006-2007 Monterey Technology Group, All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk.

Site Map