Event ID: 4659

A handle to an object was requested with intent to delete 

A handle to an object was requested with intent to delete.

Subject:
    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:           %4

Object:
    Object Server:      %5
    Object Type:        %6
    Object Name:        %7
    Handle ID:          %8

Process Information:
    Process ID:         %13

Access Request Information:
    Transaction ID:     %9
    Accesses:           %10
    Access Mask:        %11
    Privileges Used for Access Check:   %12


This event is often logged instead of a 4663 event when a file is deleted.

This event also appears to be logged when a file that is currently locked by a process (or Windows) is attempted to be deleted.



Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any THEDOMAIN\TheUser
Account Name SubjectUserName %2 Any TheUser
Account Domain SubjectDomainName %3 Any THEDOMAIN
Logon ID SubjectLogonId %4 Any 0x5f2ac745
Object Server ObjectServer %5 Any Security
Object Type ObjectType %6 Any File
Object Name ObjectName %7 Any C:\Shares\Marketing\~secretplan.xlsx
Handle ID HandleId %8 Any 0x0
Transaction ID TransactionIdf %9 Any {00000000-0000-0000-0000-000000000000}
Accesses AccessList %10 Any -
Access Mask AccessMask %11 Any 0x0
Privileges Used for Access Check PrivilegeList %12 Any -
ProcessID ProcessId %13 Any 0x4

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"File System"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows Vista Windows 2008 Windows 7 Windows 2008 R2 Windows 8 Windows 2012 Windows 8.1 Windows 2012 R2 Windows 10 Windows 2016 Windows 2019 Windows 2022

Audit Category:
Object Access

Audit Subcategory:
File System
Legacy Events:
563

LEFT/RIGHT arrow keys for navigation

Back to List