Event ID: 4660An object was deleted
An object was deleted. Subject: Security ID: %1 Account Name: %2 Account Domain: %3 Logon ID: %4 Object: Object Server: %5 Handle ID: %6 Process Information: Process ID: %7 Process Name: %8 Transaction ID: %9
This event is logged when an object is deleted, however it does not contain the object name, only the handle id. As such, this event would need to be correlated with another event that provides both the handle id and the object name, e.g. event ID 4663, in order to be useful.
Key difference with event ID 4663: This event is only logged when an object is deleted, whereas event id 4663 may also indicate a DELETE activity when an object is renamed for example.
It's not recommended to audit the "Kernel Object" subcategory.
Volume depends on audit settings and delete activity.
Lookup Audit Policy Configuration Settings
C:\> AuditPol.exe /get /category:"Object Access"
LEFT/RIGHT arrow keys for navigationBack to List