Event ID - 563

Event Id563
SourceSecurity
DescriptionObject Open for Delete:
      Object Server: <Object Server>
      Object Type: <Object Type>
      Object Name: <Object Name>
      New Handle ID: <New Handle ID>
      Operation ID: <Operation ID>
      Process ID: <Process ID>
      Primary User Name: <Primary User Name>
      Primary Domain: <Primary Domain>
      Primary Logon ID: <Primary Logon ID>
      Client User Name: <Client User Name>
      Client Domain: <Client Domain>
      Client Logon ID: <Client Logon ID>
      Accesses: <Accesses>
      Privileges: <Privileges>     

Event InformationAccording to Microsoft :
Cause :
This event record indicates that an object has been opened with the intent to delete the object. The only way to determine what happened to the object is to look at the “Object Name” in the audit log. This message does not mean that the object was deleted. The log will show what action occurred. Note: There are security implications to this action if the object name represents a file containing sensitive data.
Resolution :
If the specified object name represents a file containing sensitive data, make sure the specified user was supposed to have access to the file.
Reference LinksEvent ID 563 from Source Security

Alternate Event ID in Vista and Windows Server 2008 is 4659.

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.
 Refresh