Windows Security Log Event ID 564

Operating Systems Windows Server 2000
Windows 2003 and XP
CategoryObject Access
Type Success
Corresponding events
in Windows 2008
and Vista
4660  
Discussions on Event ID 564
How to determine and correlate events that a file has been deleted?
Logging for workstations in a Windows domain
Object Created

564: Object Deleted

On this page

When an object for which successful delete access has been enabled for auditing, Event 564 is logged upon actual deletion. To determine the name of the object deleted look for a prior event 560 with the same handle ID. Normally event 560 and event 564 will be in close proximity but it is theoretically possible for a process to open an object (560) for delete access and then actually delete it much later. See event 560 for further information.

Free Security Log Resources by Randy

Description Fields in 564

  • Object Server:
  • Handle ID:
  • Process ID:

The following field also apears in Windows Server 2003:

  • Image File Name: (the path and file name of the program that deleted the object)

Supercharger Free Edition


Supercharger's built-in Xpath filters leave the noise behind.

Free.

 

Examples of 564

Object Deleted:
Object Server:Security
Handle ID:1468
Process ID:1688
Windows Server 2003 adds this field:
Image File Name:C:\WINDOWS\system32\notepad.exe

Keep me up-to-date on the Windows Security Log.
Email*:
*We will NOT share this

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Additional Resources