Open the event viewer and look in the security report for event ID 4656 with a different task category “File system”, “Removable disk” and the string part “Access: DELETE”. Check the report. The Subject: SID field indicates which file each file was removed from.
Security Window Log Event ID 4660
4660 The object was deleted
How do you make sure a file is completely deleted?
On any of our explorer feeds, click “Delete” on the window key, or click the arrow below the “Delete” option and select “Delete permanently.” When you click the “Delete” button, the file is moved to the trash, and when you choose the “Delete forever” route, the file is deleted without the possibility of recovery.
On this page
Description of this event
Field rate details
Discuss this event
Mini-workshops dedicated to this event.
Randy’s Free Security Logging Resources
Can I delete event log files?
1] Clear the event log using Event Viewer. Click the start button, then type eventvwr. msc or event vieweruy. Finally, double-click the files in the left pane, right-click on the events you want to clear, then select Clear Log. This will create all log files for this partition.
Free Security Protocol Quick Reference Diagram
Windows Event Collection: Free Supercharger
Free solution for auditing Active Directory changes
People and the login session that deleted part of the object.
Security ID: Account SID.
Account name: paid login name.
Account domain: domain or (currently for local providers) computer name.
A login ID is a semi-unique intermediate number (a unique restart) that identifies a login session. The logon ID allows it to be associated with the logged case (4624) as well as other events recorded during the same logon session.
This object is usually deleted.
Object server: note “Security”
Descriptor ID: A semi-unique number (a unique restart association) that identifies all tracked events while the object is considered open. The handle ID allows you to match the return with other logged events (open 4656 , access 4663 , close 4658)
Process ID: This is the exact time the executable was run, usually 4688.
Process name: Identifies the executable program in which it accessed the object.
Unknown Transaction ID: If you have any information in this field, start a weight loss discussion!