The user and logon session that deleted the object.
- Security ID: The SID of the account.
- Account Name: The account logon name.
- Account Domain: The domain or - in the case of local accounts - computer name.
- Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
This is the object just deleted.
- Object Server: always "Security"
- Handle ID: is a semi-unique (unique between reboots) number that identifies all subsequent audited events while the object is open. Handle ID allows you to correlate to other events logged (Open 4656, Access 4663, Close 4658)
Process ID is the process ID specified when the executable started as logged in 4688. The Process Name identifies the program executable that accessed the object.
- Transaction ID: unknown. Start a discussion below if you have information on this field!
Keep me up-to-date on the Windows Security Log.
*We will NOT share this