Windows Security Log Event ID 563

Operating Systems Windows Server 2000
Windows 2003 and XP
CategoryObject Access
Type Success
Corresponding events
in Windows 2008
and Vista		 4659  

563: Object Open for Delete

On this page

Event 563 does not get logged on normal file deletes. MS documentation says "An attempt was made to open an object with the intent to delete it. Note: This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile().". For files opened exclusively by another program this flag is the only way to delete them.

Free Security Log Resources by Randy

Description Fields in 563

  • Object Server:
  • Object Type:
  • Object Name: 
  • New Handle ID:
  • Operation ID: 
  • Process ID: 
  • Primary User Name:
  • Primary Domain:
  • Primary Logon ID:
  • Client User Name:
  • Client Domain:
  • Client Logon ID:
  • Accesses
  • Privileges

Setup PowerShell Audit Log Forwarding in 4 Minutes

 

Examples of 563

Object Open for Delete
Object Server: %1
Object Type: %2
Object Name: %3
New Handle ID: %4
Operation ID:{%5,%6}
Process ID: %7
Primary User Name: %8
Primary Domain: %9
Primary Logon ID: %10
Client User Name: %11
Client Domain: %12
Client Logon ID: %13
Accesses %14
Privileges %15

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

Stay up-to-date on the Latest in Cybersecurity
Sign up for the Ultimate IT Security newsletter to hear about the latest webinars, patches, CVEs, attacks, and more.
Work Email:

 

Upcoming Webinars
    Additional Resources

      Go To Event ID:

      Security Log
      Quick Reference
      Chart
      Download now!