Event ID: 4660

An object was deleted

An object was deleted.

    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:           %4

    Object Server:      %5
    Handle ID:          %6

Process Information:
    Process ID:         %7
    Process Name:       %8
    Transaction ID:     %9

This event is logged when an object is deleted, however it does not contain the object name, only the handle id. As such, this event would need to be correlated with another event that provides both the handle id and the object name, e.g. event ID 4663, in order to be useful.

Key difference with event ID 4663: This event is only logged when an object is deleted, whereas event id 4663 may also indicate a DELETE activity when an object is renamed for example.

Auditing:     Rarely

It's not recommended to audit the "Kernel Object" subcategory.


Volume depends on audit settings and delete activity.

Microsoft Documentation

Event ID - 4660

Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any THEDOMAIN\TheUser
Account Name SubjectUserName %2 Any TheUser
Account Domain SubjectDomainName %3 Any THEDOMAIN
Logon ID SubjectLogonId %4 Any 0x4367c
Object Server ObjectServer %5 Any Security
Handle ID HandleId %6 Any 0x1679
Process ID ProcessId %7 Any 0xef4
Process Name ProcessName %8 Any C:\Windows\explorer.exe
Transaction ID TransactionId %9 Any {00000000-0000-0000-0000-000000000000}

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /category:"Object Access"

LEFT/RIGHT arrow keys for navigation

Back to List