Navigation section
folder tracking
About this tag
Windows security event IDs 4660 and 4663 are used for folder tracking and file auditing. ID 4660 logs an object deletion but does not include the file or folder name, while ID 4663 logs access attempts with the object name. To link these events, you can use the Handle ID field, which is common between them. By correlating Handle IDs, you can determine which file or folder was deleted and by which user. This technique is essential for forensic analysis and audit trails in Windows environments.
-
H
Windows 10 What fields are common between IDs 4660 and 4663?
Hello, I want to know which file or folder was deleted by whom. The problem is that there is no file or folder name in ID 4660 and I need to extract the file or folder name from ID 4663, but how do I link these together? How do I know which ID 4660 is related to which ID 4663? What field is...- hack3rcon
- Thread
- audit logs data recovery error resolution event correlation event id file deletion file management file monitoring file system folder deletion folder tracking id 4660 id 4663 james jason security audits user activity windows logs windows security
- Replies: 3
- Forum: Windows Help and Support