Event ID 4660

An object was deleted 

An object was deleted.

Subject:
    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:           %4

Object:
    Object Server:      %5
    Handle ID:          %6

Process Information:
    Process ID:         %7
    Process Name:       %8
    Transaction ID:     %9


This event is logged when an object is deleted, however it does not contain the object name, only the handle id. As such, this event would need to be correlated with another event that provides both the handle id and the object name, e.g. event ID 4663, in order to be useful.

Key difference with event ID 4663: This event is only logged when an object is deleted, whereas event id 4663 may also indicate a DELETE activity when an object is renamed for example.

Auditing:     Rarely

It's not recommended to audit the "Kernel Object" subcategory.


Volume:

Volume depends on audit settings and delete activity.


Microsoft Documentation

Event ID - 4660



Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any THEDOMAIN\TheUser
Account Name SubjectUserName %2 Any TheUser
Account Domain SubjectDomainName %3 Any THEDOMAIN
Logon ID SubjectLogonId %4 Any 0x4367c
Object Server ObjectServer %5 Any Security
Handle ID HandleId %6 Any 0x1679
Process ID ProcessId %7 Any 0xef4
Process Name ProcessName %8 Any C:\Windows\explorer.exe
Transaction ID TransactionId %9 Any {00000000-0000-0000-0000-000000000000}

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /category:"Object Access"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows Vista Windows 2008 Windows 7 Windows 2008 R2 Windows 8 Windows 2012 Windows 8.1 Windows 2012 R2 Windows 10 Windows 2016 Windows 2019 Windows 2022

Tags:
Audit Success
Audit Category:
Object Access

Audit Subcategory:
File System Kernel Object Registry
Legacy Events:
564

Correlated Events:
4624 4656 4663 4688

LEFT/RIGHT arrow keys for navigation

Back to List