Event Details
Operating System->Microsoft Windows->Built-in logs->Windows 2008 or higher->Security Log->Object Access->File System->EventID 4659 - A handle to an object was requested with intent to delete.
EventID 4659 - A handle to an object was requested with intent to delete.

Find more information about this event on ultimatewindowssecurity.com.
 Sample: 
A handle to an object was requested with intent to delete.

Subject:
	Security ID:		NT AUTHORITY\SYSTEM
	Account Name:		IIZHU4$
	Account Domain:		ITSS
	Logon ID:		0x3e7

Object:
	Object Server:	Security
	Object Type:	File
	Object Name:	C:\Windows\WinSxS\amd64_microsoft-windows-i..rendering.resources_31bf3856ad364e35_11.0.9600.18538_en-us_1092d4f5e676d3e3\mshtml.dll.mui
	Handle ID:	0x0

Process Information:
	Process ID:	0x14b8

Access Request Information:
	Transaction ID:	{758F05C4-4588-11E7-80E3-000C291350FB}
	Accesses:	DELETE

				
	Access Mask:	0x10000
	Privileges Used for Access Check:	-
===========================
Description template stored in adtschema.dll:
===========================
A handle to an object was requested with intent to delete.

Subject:
	Security ID:		%1
	Account Name:		%2
	Account Domain:		%3
	Logon ID:		%4

Object:
	Object Server:	%5
	Object Type:	%6
	Object Name:	%7
	Handle ID:	%8

Process Information:
	Process ID:	%13

Access Request Information:
	Transaction ID:	%9
	Accesses:	%10
	Access Mask:	%11
	Privileges Used for Access Check:	%12
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows Vista (2008)
Windows 7 (2008 R2)
Windows 8 (2012)
Windows 8.1 (2012 R2)
Windows 10 (2016)
Category Object Access
Source Microsoft-Windows-Security-Auditing
TaskCategory File System
EventId 4659
Field Matching
FieldDescriptionStored inSample Value
DateTime Date/Time of event origination in GMT format. DateTime 10.10.2000 19:00:00
Source Name of an Application or System Service originating the event. Source Security
Type Warning, Information, Error, Success, Failure, etc. Type Success
User Domain\Account name of user/service/computer initiating event. User RESEARCH\Alebovsky
Computer Name of server workstation where event was logged. Computer DC1
EventID Numerical ID of event. Unique within one Event Source. EventId 576
Description The entire unparsed event message. Description Special privileges assigned to new logon.
Log Name The name of the event log (e.g. Application, Security, System, etc.) LogName Security
Task Category A name for a subclass of events within the same Event Source. TaskCategory
Level Warning, Information, Error, etc. Level
Keywords Audit Success, Audit Failure, Classic, Connection etc. Keywords
Category A name for an aggergative event class, corresponding to the similar ones present in Windows 2003 version. Category Account Logon
Object Name InsertionString7
Whom InsertionString7
Object Type InsertionString6
Class Name InsertionString6
Security ID InsertionString1
Account Name InsertionString2
Account Domain InsertionString3
Subject: Account Name Name of the account that initiated the action. InsertionString2 IIZHU4$
Subject: Account Domain Name of the domain that account initiating the action belongs to. InsertionString3 ITSS
Subject: Logon ID A number uniquely identifying the logon session of the user initiating action. This number can be used to correlate all user actions within one logon session. InsertionString4 0x3e7
Subject: Security ID InsertionString1 NT AUTHORITY\SYSTEM
Object: Object Server InsertionString5 Security
Object: Object Type InsertionString6 File
Object: Object Name InsertionString7 C:\Windows\WinSxS\amd64_microsoft-windows-i..rendering.resources_31bf3856ad364e35_11.0.9600.18538_en-us_1092d4f5e676d3e3\mshtml.dll.mui
Object: Handle ID InsertionString8 0x0
Process Information: Process ID InsertionString13 0x14b8
Access Request Information: Transaction ID InsertionString9 {758F05C4-4588-11E7-80E3-000C291350FB}
Access Request Information: Accesses InsertionString10 DELETE
Access Request Information: Access Mask InsertionString11 0x10000
Access Request Information: Privileges Used for Access Check InsertionString12 -
Comments
You must be logged in to comment