I get this event instead of 4660 or 4663 when... Expand / Collapse
Author
Message
Posted 1/24/2019 11:55:53 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 1/24/2019 11:45:36 AM
Posts: 1, Visits: 0
The site says you haven't been able to reproduce this event - I can't seem to NOT reproduce it. Maybe this behavior changed in Windows 10?

Client is Windows 10, accessing a Server 2012R2 file server. Opening the folder by UNC path in explorer, and deleting a file.

When deleting a folder, or renaming or moving files, I see event 4663 with Access: Delete as expected.

But when deleting a file I do NOT get 4663 with access delete. Two of event 4663 are logged with access READ_CONTROL and ReadData (or ListDirectory), and event ID 4659 is logged as well.

Same thing happens mapping the network drive and deleting through the command line.

Here's an example of the event I see on the file server:


A handle to an object was requested with intent to delete.

Subject:
Security ID: MYDOMAIN\me
Account Name: me
Account Domain: MYDOMAIN
Logon ID: 0x52D71C0

Object:
Object Server: Security
Object Type: File
Object Name: E:\Users\asdlfjhawasedfa2341zdf\test123.docx
Handle ID: 0x0

Process Information:
Process ID: 0x4

Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: DELETE
ReadAttributes

Access Mask: 0x10080
Privileges Used for Access Check: -

Post #8538
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 9:06pm