Event Details
Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Object Access->EventID 563 - Object Open for Delete [Win 2000 / XP]
EventID 563 - Object Open for Delete [Win 2000 / XP]
Indicates that an object has been successfully opened with the intent to delete the object. 

The only way to determine what happened to the object is to look at the “Object Name” in the audit log. This message does not mean that the object was deleted. The log will show what action occurred. 

Find more information about this event on ultimatewindowssecurity.com.

Corresponding events on other OS versions:

Windows 2003
Windows 2008
  • This event is not logged on Windows 2008.
        Event Type:	Success Audit
        Event Source:	Security
        Event Category:	Object Access
        Event ID:	563
        Date:		5/8/2009
        Time:		1:04:20 PM
        User:		RESEARCH\Alebovsky
        Computer:	DC1
        Object Open for Delete:
        Object Server:	Security
        Object Type:	File
        Object Name:	C:\Temp\DelOnClose\MyTest.txt
        Handle ID:	-
        Operation ID:	{0,42552210}
        Process ID:	2564
        Primary User Name:	Alebovsky
        Primary Domain:	RESEARCH
        Primary Logon ID:	(0x0,0x712ED0)
        Client User Name:	-
        Client Domain:	-
        Client Logon ID:	-
        Accesses:		-
        Privileges:		-     
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows 2000
Windows XP
Category Object Access
Source Security
EventId 563
Field Matching
FieldDescriptionStored inSample Value
DateTime Date/Time of event origination in GMT format. DateTime 10.10.2000 19:00:00
Source Name of an Application or System Service originating the event. Source Security
Type Warning, Information, Error, Success, Failure, etc. Type Success
User Domain\Account name of user/service/computer initiating event. User RESEARCH\Alebovsky
Computer Name of server workstation where event was logged. Computer DC1
EventID Numerical ID of event. Unique within one Event Source. EventId 576
Description The entire unparsed event message. Description Special privileges assigned to new logon.
Log Name The name of the event log (e.g. Application, Security, System, etc.) LogName Security
Category A name for a subclass of events within the same Event Source. Category Logon/Logoff
Process ID ID of the process (program) making the access request InsertionString7 380
Object Server The name of the service handling the access request InsertionString1 Security
Object Type The type of object accessed (file, folder, registry key, printer, service) InsertionString2 File
Object Name Name of the object (e.g. for the file accessed - full system path) InsertionString3 C:\Temp\DelOnClose\MyTest.txt
Handle ID ID of the object handle granted to the process accessing it InsertionString4 -
Operation ID ID of the operation performed on the object "{%5,%6}" {%5,%6}
Primary User Name For local access identifies the user accessing the object, for remote access identifies the server program used to open the object InsertionString8 Alebovsky
Primary Domain Domain of the Primary User Name InsertionString9 RESEARCH
Primary Logon ID ID of the logon session of the Primary User Name account InsertionString10 (0x0,0x712ED0)
Client User Name For local access this field is empty, for remote access identifies the user accessing the object. InsertionString11 -
Client Domain Domain of the Client User Name InsertionString12 -
Client Logon ID ID of the logon session of the Client User Name account InsertionString13 -
Accesses Identifies the permissions requested by user/program to the object. InsertionString14 -
Privileges The list of privileges held by user during object access InsertionString15 -
You must be logged in to comment