Event ID 4660 – An Object Was Deleted
|Category||Object Access: File System; Kernel Object; Registry|
|Description||An object has been deleted.|
Event ID 4660 is logged when an object is deleted. The audit policy of the object must have auditing enabled for deletions by that particular user or group. Event 4660 can be correlated to event 4656 as they share the same handle ID. The deletion of an object triggers both this event, as well as event 4663.
This log data provides the following information:
- Security ID
- Account Name
- Account Domain
- Logon ID
- Object Server
- Handle ID
- Process ID
- Transaction ID
Why does event ID 4660 need to be monitored?
- To track the deletion of files and other Windows objects, this should be monitored in tandem with 4663, as this event does not provide the Object Name
- To prevent privilege abuse
- To detect abnormal and potentially malicious activity
- To ensure compliance with regulatory mandates
ADAudit Plus provides real-time pre-configured reports and auditing of the changes along with alerts within a Domain & OU. The advanced Group Policy settings real-time audit reports provide detailed information about object related events.
Event 4660 applies to the following operating systems:
- Windows 2008 R2 and 7
- Windows 2012 R2 and 8.1
- Windows 2016 and 10
Corresponding event in Windows 2003 and before: 564