Windows Security Log Event ID 4660

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
Category
 • Subcategory
Object Access
 • File System
 • Registry
 • Kernel Object
 • SAM
 • Other Object Access Events
Type Success
Corresponding events
in Windows 2003
and before
564  

4660: An object was deleted

On this page

This event is logged by multiple subcategories as indicated above.

This event is logged when an object is deleted where that object's audit policy has auditing enabled for deletions for the user who just deleted it or a group to which the user belongs.

To find out the object's name and type you will need to correlate back to to the event 4656 that has the same Handle ID.

In addition to this event you will also get event 4663 when you delete the object; Accesses: will include DELETE. 4663 identifies the object's name without requiring correlation to 4656.

Free Security Log Resources by Randy

Description Fields in 4660

Subject:

The user and logon session that deleted the object.

  • Security ID:  The SID of the account.
  • Account Name: The account logon name.
  • Account Domain: The domain or - in the case of local accounts - computer name.
  • Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session. 

Object:

This is the object just deleted.

  • Object Server: always "Security"
  • Handle ID: is a semi-unique (unique between reboots) number that identifies all subsequent audited events while the object is open.  Handle ID allows you to correlate to other events logged (Open 4656, Access 4663, Close 4658)

Process Information:

  • Process ID: This is specified when the executable started as logged in 4688.
  • Process Name: Identifies the program executable that accessed the object.
  • Transaction ID: Unknown.  Start a discussion below if you have information on this field!

Supercharger Enterprise


Load Balancing for Windows Event Collection

 

Examples of 4660

An object was deleted.
Subject:
   Security ID:  WIN-R9H529RIO4Y\Administrator
   Account Name:  Administrator
   Account Domain:  WIN-R9H529RIO4Y
   Logon ID:  0x1fd23

Object:
   Object Server: Security
   Handle ID: 0x40

Process Information:
   Process ID: 0xc34
   Process Name: C:\Windows\System32\cmd.exe
   Transaction ID: {00000000-0000-0000-0000-000000000000}

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Upcoming Webinars
    Additional Resources