Windows Security Log Event ID 564

Operating Systems Windows Server 2000
Windows 2003 and XP
CategoryObject Access
Type Success
Corresponding events
in Windows 2008
and Vista		 4660  

564: Object Deleted

On this page

When an object for which successful delete access has been enabled for auditing, Event 564 is logged upon actual deletion. To determine the name of the object deleted look for a prior event 560 with the same handle ID. Normally event 560 and event 564 will be in close proximity but it is theoretically possible for a process to open an object (560) for delete access and then actually delete it much later. See event 560 for further information.

Free Security Log Resources by Randy

Description Fields in 564

  • Object Server:
  • Handle ID:
  • Process ID:

The following field also apears in Windows Server 2003:

  • Image File Name: (the path and file name of the program that deleted the object)

Supercharger Free Edition


Centrally manage WEC subscriptions.

Free.

 

Examples of 564

Object Deleted:
Object Server:Security
Handle ID:1468
Process ID:1688
Windows Server 2003 adds this field:
Image File Name:C:\WINDOWS\system32\notepad.exe

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



Mini-Seminars Covering Event ID 564
Stay up-to-date on the Latest in Cybersecurity
Sign up for the Ultimate IT Security newsletter to hear about the latest webinars, patches, CVEs, attacks, and more.
Work Email:

 

Upcoming Webinars
    Additional Resources

      Go To Event ID:

      Security Log
      Quick Reference
      Chart
      Download now!