Windows Security Log Event ID 4659

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
Category
 • Subcategory		Object Access
 • File System
 • Registry
 • Other Object Access Events
Type Success
Corresponding events
in Windows 2003
and before		 563  

4659: A handle to an object was requested with intent to delete

On this page

This event should be logged whenever your install a patch that requires replacement of a file that is already opened by Windows and can't be closed until shut down.

According to Microsoft it is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile(). This flag is the only way to delete files that were opened exclusively by another program.

I haven't been able to produce this event. Have you? If so, please start a discussion (see above) and post a sample along with any comments you may have! Don't forget to sanitize any private information.

The event is listed as a special multi-use sub-category. The sub-category would depend on the type of object being audited.

Free Security Log Resources by Randy

Setup PowerShell Audit Log Forwarding in 4 Minutes

 

Examples of 4659

A handle to an object was requested with intent to delete.
Subject:
   Security ID:  %1
   Account Name:  %2
   Account Domain:  %3
   Logon ID:  %4
Object:
   Object Server: %5
   Object Type: %6
   Object Name: %7
   Handle ID: %8
Process Information:
   Process ID: %13
Access Request Information:
   Transaction ID: %9
   Accesses: %10
   Access Mask: %11
   Privileges Used for Access Check: %12

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



Mini-Seminars Covering Event ID 4659
Stay up-to-date on the Latest in Cybersecurity
Sign up for the Ultimate IT Security newsletter to hear about the latest webinars, patches, CVEs, attacks, and more.
Work Email:

 

Upcoming Webinars
Additional Resources

    Go To Event ID:

    Security Log
    Quick Reference
    Chart
    Download now!