Object Open for Delete: Object Server: %1 Object Type: %2 Object Name: %3 New Handle ID: %4 Operation ID: {%5,%6} Process ID: %7 Primary User Name: %8 Primary Domain: %9 Primary Logon ID: %10 Client User Name: %11 Client Domain: %12 Client Logon ID: %13 Accesses %14 Privileges %15

Details
Product: Windows Operating System
Event ID: 563
Source: Security
Version: 5.0
Component: Security Event Log
Symbolic Name: SE_AUDITID_OPEN_OBJECT_FOR_DELETE
Message: Object Open for Delete: Object Server: %1 Object Type: %2 Object Name: %3 New Handle ID: %4 Operation ID: {%5,%6} Process ID: %7 Primary User Name: %8 Primary Domain: %9 Primary Logon ID: %10 Client User Name: %11 Client Domain: %12 Client Logon ID: %13 Accesses %14 Privileges %15
   
Explanation

This event record indicates that an object has been opened with the intent to delete the object. The only way to determine what happened to the object is to look at the “Object Name” in the audit log.

This message does not mean that the object was deleted. The log will show what action occurred.

Note: There are security implications to this action if the object name represents a file containing sensitive data.

   
User Action

If the specified object name represents a file containing sensitive data, make sure the specified user was supposed to have access to the file.

Related:

Leave a Reply