locked
Account Name field of 4663,4660 displays System Account(FileServer$) instead of userName when Deleting a Folder RRS feed

  • Question

  • Account Name field of 4663,4660 displays System Account(FileServer$) instead of userName when Deleting a Folder : 

    A Folder with files & subfolders are deleted.The following sequence events 4656,4663,4660,4658 are logged for parent folder,subfolders and files in the security event log.For parent folder and subfolders events, the Account Name field of event id 4656 displays the user who deleted the folder,but the Account Name field of event id 4663,4660 diplays the SYSTEM account ie)FileServer Name instead of username.This is not occuring for files inside the subfolders

    Actually we correlate 4663,4660 with handle id and process id to make sure the file/ folder is deleted.Using this above correlation we can not able to find out user ,because it shows servername$ for folder deletions not files.So my question is why windows logging servername$ in 4663,4660 events only for folder deletions.

    The above issue happening only for 
    * parent folder and sub folders and not for files inside them.
    * deletion through network share and not locally.
    Sample Events of 4656,4663,4660

    Log Name: Security
    Source: Microsoft-Windows-Security-Auditing
    Date: 11-09-2012 20:03:41
    Event ID: 4656
    Task Category: File System
    Level: Information
    Keywords: Audit Success
    User: N/A
    Computer: FS01.test.com
    Description:
    A handle to an object was requested.

    Subject:
    Security ID: S-1-5-21-34352134455-267854504-159913591-49381
    Account Name: vijay
    Account Domain: test.com
    Logon ID: 0x7e95119f

    Object:
    Object Server: Security
    Object Type: File
    Object Name: \Device\HarddiskVolume4\ShareA\testFolder
    Handle ID: 0x7498

    Process Information:
    Process ID: 0x4
    Process Name:

    Access Request Information:
    Transaction ID: {00000000-0000-0000-0000-000000000000}
    Accesses: DELETE

    Access Mask: 0x10000
    Privileges Used for Access Check: -
    Restricted SID Count: 0

    Log Name: Security
    Source: Microsoft-Windows-Security-Auditing
    Date: 11-09-2012 20:03:41
    Event ID: 4663
    Task Category: File System
    Level: Information
    Keywords: Audit Success
    User: N/A
    Computer: FS01.test.com
    Description:
    An attempt was made to access an object.

    Subject:
    Security ID: SYSTEM
    Account Name: FS01$
    Account Domain: test.com
    Logon ID: 0x3e7

    Object:
    Object Server: Security
    Object Type: File
    Object Name: \Device\HarddiskVolume4\Shared\testFolder
    Handle ID: 0x7498

    Process Information:
    Process ID: 0x4
    Process Name:

    Access Request Information:
    Accesses: DELETE

    Access Mask: 0x10000


    Log Name: Security
    Source: Microsoft-Windows-Security-Auditing
    Date: 11-09-2012 20:03:41
    Event ID: 4660
    Task Category: File System
    Level: Information
    Keywords: Audit Success
    User: N/A
    Computer: FS01
    Description:
    An object was deleted.

    Subject:
    Security ID: SYSTEM
    Account Name: FS01$
    Account Domain: test.com
    Logon ID: 0x3e7

    Object:
    Object Server: Security
    Handle ID: 0x7498

    Process Information:
    Process ID: 0x4
    Process Name:
    Transaction ID: {00000000-0000-0000-0000-000000000000}

    Thursday, September 20, 2012 9:39 AM