question

$$ANON_USER$$ avatar image
0 Votes"
$$ANON_USER$$ asked FanFan-MSFT commented

Problems with folder auditing

I have a setup consisting of a Server 2016 and Windows 10 client, on the server, there is a file share I have configured with auditing and I am using the client to access the file share remotely.

The GPO I am using has Audit Object Access and Audit File system enabled and for the auditing, I configured Everyone with delete and delete subfolders and files.

When I delete a folder I get 4660 (An object was deleted) which is what I expected but when I delete a file I get 4659 (A handle to an object was requested with intent to delete) but no 4660. Is this supposed to be correct, does deleting a file and folder generate different event IDs? Does 4659 represent file deletion or just an attempt of file deletion?

If this is correct, is there a possible way for both events (file or folder deletion) to have same event IDs so I can make auditing easier.

windows-server-2016
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered FanFan-MSFT commented

Hi,

To audit the deletion of the files or folders, the event 4663 should be the one we are going to check no matter for a file or a folder deletion since the event include all the information you needed. Such as:


who access the files or folders
information of the object type: files or folders
Process name: for example, explore.exe
Accesses: Delete
117236-7235.jpg
4663(S): An attempt was made to access an object.

Event 4660 should also be logged, but there is no object type information.
Event 4659 should be logged whenever user install a patch that requires replacement of a file that is already opened by Windows and can't be closed until shut down.

I also did a test in my lab to audit the deletion operation.

We enable the audit policy for Object Access,
117175-7233.jpg
Enable the folder audit:
117176-7234.jpg

When we delete a file or folder, event 4663 was logged.
117256-7236.jpg





7235.jpg (45.1 KiB)
7233.jpg (71.5 KiB)
7234.jpg (97.3 KiB)
7236.jpg (112.0 KiB)
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello, thank you for your help. However, I am still unable to get the results. When I delete the file locally on where the shared folder is, I get 4660 with 4663 but when I delete the file remotely by accessing it as a share, it still only gives me 4659 and not 4663 with 4660. Any ideas?

0 Votes 0 ·

Hi,
Did you try to access the file by \\servername\share?
I also tried to do this in my lab.
If i delete the file through this way, as you mentioned the event 4659 will be logged.
And the event 4663 will also be logged. But i just can't see the file name in this situation.

So, it seems that when you delete the files and folders locally, the event 4663 will be logged without 4659.
When you delete the files through network, 4659 and 4663 will be logged.
When you delete the files through network, 4663 will be logged.

Best Regards,

0 Votes 0 ·

If you have any questions or concerns about it, please don't hesitate to let us know.
Best Regards,

0 Votes 0 ·