Windows Security Log Event ID 564

564: Object Deleted

On this page

• Description of this event
• Field level details
• Examples

When an object for which successful delete access has been enabled for auditing, Event 564 is logged upon actual deletion. To determine the name of the object deleted look for a prior event 560 with the same handle ID. Normally event 560 and event 564 will be in close proximity but it is theoretically possible for a process to open an object (560) for delete access and then actually delete it much later. See event 560 for further information.

Free Security Log Resources by Randy

• Free Security Log Quick Reference Chart
• Windows Event Collection: Supercharger Free Edtion
• Free Active Directory Change Auditing Solution
• Free Course: Security Log Secrets

Description Fields in 564

• Object Server:
• Handle ID:
• Process ID:

The following field also apears in Windows Server 2003:

• Image File Name: (the path and file name of the program that deleted the object)

Supercharger Enterprise

 

Mini-Seminars Covering Event ID 564 Security Log Exposed: 8 Ways to Spot Misuse, Malware and Malefactors with Windows File System Auditing

 

Upcoming Webinars Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

•	Event IDs
•	All Event IDs
•	Audit Policy