Windows Security Log Event ID 563

Operating Systems Windows Server 2000
Windows 2003 and XP
CategoryObject Access
Type Success
Corresponding events
in Windows 2008
and Vista
4659  

563: Object Open for Delete

On this page

Event 563 does not get logged on normal file deletes. MS documentation says "An attempt was made to open an object with the intent to delete it. Note: This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile().". For files opened exclusively by another program this flag is the only way to delete them.

Free Security Log Resources by Randy

Description Fields in 563

  • Object Server:
  • Object Type:
  • Object Name: 
  • New Handle ID:
  • Operation ID: 
  • Process ID: 
  • Primary User Name:
  • Primary Domain:
  • Primary Logon ID:
  • Client User Name:
  • Client Domain:
  • Client Logon ID:
  • Accesses
  • Privileges

Supercharger Free Edition

 

Examples of 563

Object Open for Delete
Object Server: %1
Object Type: %2
Object Name: %3
New Handle ID: %4
Operation ID:{%5,%6}
Process ID: %7
Primary User Name: %8
Primary Domain: %9
Primary Logon ID: %10
Client User Name: %11
Client Domain: %12
Client Logon ID: %13
Accesses %14
Privileges %15

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

 

Upcoming Webinars
    Additional Resources