Navigation section

id 4660

About this tag
ID 4660 is a Windows security event that logs when an object is deleted. However, the event does not include the file or folder name, only the handle ID. To identify the deleted object, you must correlate ID 4660 with ID 4663, which logs attempts to access an object and includes the object name. The common field between these events is the handle ID. By matching the handle ID from ID 4660 with the same handle ID in ID 4663, you can determine which file or folder was deleted. This correlation also allows you to identify the user who performed the deletion, as ID 4660 includes the user account information.
  1. H

    Windows 10 What fields are common between IDs 4660 and 4663?

    Hello, I want to know which file or folder was deleted by whom. The problem is that there is no file or folder name in ID 4660 and I need to extract the file or folder name from ID 4663, but how do I link these together? How do I know which ID 4660 is related to which ID 4663? What field is...
    • hack3rcon
    • Thread
    • audit logs data recovery error resolution event correlation event id file deletion file management file monitoring file system folder deletion folder tracking id 4660 id 4663 james jason permissions security audits user activity windows logs windows security
    • Replies: 3
    • Forum: Windows Help and Support
Back
Top