Event Details
User Activity->Object Access->File System Object Access->InTrust Plug-in for File Access->Shadow Copy Object Access->EventID 4866 - Shadow copy deleted.
EventID 4866 - Shadow copy deleted.
 Sample: 
Event Type:     SuccessAudit
Event Source:   Quest File Access Audit Source
Event Category: Local Access
Event ID:       4866
Date:           10/28/2009
Time:           10:49:51
User:           NT AUTHORITY\SYSTEM
Computer:       SERVER
Description:    
Shadow copy deleted: 

	Primary User Name: SYSTEM 

	Primary User Domain: NT AUTHORITY 

	Client User Name:  

	Client User Domain:  

	User Logon ID: (0x0,0x3E7) 

	Process: C:\WINDOWS\system32\svchost.exe 

	Volume Path: C: 

	Shadow copy: 10/28/2009 10:48:40 AM
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Quest File Access Audit
Filtering Field Equals to Value
Category ITFA:Local Access
Source Quest File Access Audit Source
EventId 4866
Field Matching
FieldDescriptionStored inSample Value
When At what date and time a user activity originated in the system. DateTime 10.10.2000 19:00:00
Who Account or user name under which the activity occured. Primary User Name ALebovsky
What The type of activity occurred (e.g. Logon, Password Changed, etc.) "Shadow Copy Deleted" Shadow Copy Deleted
Where The name of the workstation/server where the activity was logged. Computer DC1
Where From The name of the workstation/server where the activity was initiated from. Computer DC1
Severity Specify the seriousness of the event. "Medium" Medium
WhoDomain -
WhereDomain -
Result Successful or Failed "Successful" Successful
Object Name Volume Path C:
Object Type "Volume" Volume
Whom -
Access Type Category AttestationReview
Comments
You must be logged in to comment