Windows Security Log Event ID 4659
4659: A handle to an object was requested with intent to delete
On this page
This event should be logged whenever your install a patch that requires replacement of a file that is already opened by Windows and can't be closed until shut down.
According to Microsoft it is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile(). This flag is the only way to delete files that were opened exclusively by another program.
I haven't been able to produce this event. Have you? If so, please start a discussion (see above) and post a sample along with any comments you may have! Don't forget to sanitize any private information.
The event is listed as a special multi-use sub-category. The sub-category would depend on the type of object being audited.
Free Security Log Resources by Randy
Supercharger Free Edition
Centrally manage WEC subscriptions.
Free.
A handle to an object was requested with intent to delete.
Subject:
Security ID: %1
Account Name: %2
Account Domain: %3
Logon ID: %4
Object:
Object Server: %5
Object Type: %6
Object Name: %7
Handle ID: %8
Process Information:
Process ID: %13
Access Request Information:
Transaction ID: %9
Accesses: %10
Access Mask: %11
Privileges Used for Access Check: %12
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection