Event ID: 4659A handle to an object was requested with intent to delete
A handle to an object was requested with intent to delete. Subject: Security ID: %1 Account Name: %2 Account Domain: %3 Logon ID: %4 Object: Object Server: %5 Object Type: %6 Object Name: %7 Handle ID: %8 Process Information: Process ID: %13 Access Request Information: Transaction ID: %9 Accesses: %10 Access Mask: %11 Privileges Used for Access Check: %12
This event is often logged instead of a 4663 event when a file is deleted.
This event also appears to be logged when a file that is currently locked by a process (or Windows) is attempted to be deleted.
Lookup Audit Policy Configuration Settings
C:\> AuditPol.exe /get /subcategory:"File System"
LEFT/RIGHT arrow keys for navigationBack to List