Windows Security Log Event ID 4660
Operating Systems Windows Vista
Windows Server 2008
Category
 • Subcategory
Object Access
 • File System
 • Registry
 • SAM
 • Other Object Access Events
Type Success
Corresponding events
in Windows 2003
and before
564  
Discussions on Event ID 4660
Blank Object Name in 4660
Uniquely Identifying the 4656 that was immediately preceded 4660

4660: An object was deleted

On this page

This event is logged by multiple subcategories as indicated above.

This event is logged when an object is deleted where that object's audit policy has auditing enabled for deletions for the user who just deleted it or a group to which the user belongs.

To find out the object's name and type you will need to correlate back to to the event 4656 that has the same Handle ID.

In addition to this event you will also get event 4663 when you delete the object; Accesses: will include DELETE. 4663 identifies the object's name without requiring correlation to 4656.

Subject:

The user and logon session that deleted the object.

  • Security ID:  The SID of the account.
  • Account Name: The account logon name.
  • Account Domain: The domain or - in the case of local accounts - computer name.
  • Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session. 

Object:

This is the object just deleted.

  • Object Server: always "Security"
  • Handle ID: is a semi-unique (unique between reboots) number that identifies all subsequent audited events while the object is open.  Handle ID allows you to correlate to other events logged (Open 4656, Access 4663, Close 4658)

Process Information:

  • Process ID: This is specified when the executable started as logged in 4688.
  • Process Name: Identifies the program executable that accessed the object.
  • Transaction ID: Unknown.  Start a discussion below if you have information on this field!

Top 10 Windows Security Events to Monitor

An object was deleted.
Subject:
   Security ID:  WIN-R9H529RIO4Y\Administrator
   Account Name:  Administrator
   Account Domain:  WIN-R9H529RIO4Y
   Logon ID:  0x1fd23

Object:
   Object Server: Security
   Handle ID: 0x40

Process Information:
   Process ID: 0xc34
   Process Name: C:\Windows\System32\cmd.exe
   Transaction ID: {00000000-0000-0000-0000-000000000000}

Keep me up-to-date on the Windows Security Log.
Email*:
*We will NOT share this



Training for the Windows Security Log