Windows Security Log Event ID 4660
4660: An object was deleted
On this page
This event is logged by multiple subcategories as indicated above.
This event is logged when an object is deleted where that object's audit policy has auditing enabled for deletions for the user who just deleted it or a group to which the user belongs.
To find out the object's name and type you will need to correlate back to to the event 4656 that has the same Handle ID.
In addition to this event you will also get event 4663 when you delete the object; Accesses: will include DELETE. 4663 identifies the object's name without requiring correlation to 4656.
Free Security Log Resources by Randy
Subject:
The user and logon session that deleted the object.
- Security ID: The SID of the account.
- Account Name: The account logon name.
- Account Domain: The domain or - in the case of local accounts - computer name.
- Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
Object:
This is the object just deleted.
- Object Server: always "Security"
- Handle ID: is a semi-unique (unique between reboots) number that identifies all subsequent audited events while the object is open. Handle ID allows you to correlate to other events logged (Open 4656, Access 4663, Close 4658)
Process Information:
- Process ID: This is specified when the executable started as logged in 4688.
- Process Name: Identifies the program executable that accessed the object.
- Transaction ID: Unknown. Start a discussion below if you have information on this field!
Supercharger Enterprise
Load Balancing for Windows Event Collection
An object was deleted.
Subject:
Security ID: WIN-R9H529RIO4Y\Administrator
Account Name: Administrator
Account Domain: WIN-R9H529RIO4Y
Logon ID: 0x1fd23
Object:
Object Server: Security
Handle ID: 0x40
Process Information:
Process ID: 0xc34
Process Name: C:\Windows\System32\cmd.exe
Transaction ID: {00000000-0000-0000-0000-000000000000}
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection