Account Deleted

Windows 10

Windows 7

Flynn Weeks

Flynn Weeks

April 21, 2022

Enabled by default

Service: Microsoft Windows Security auditing

Log type: Security

An attacker may attempt to tidy up after themselves by deleting an account or simply disrupt normal workflow by deleting legitimate accounts.

Windows 10 Professional logs this by default. To view this log, navigate to the security tab of the Event Viewer. Sort or filter the logs for the event ID 4726.

To view this log from the command line with Get-WinEvent, launch powershell as an administrator. Enter the command Get-WinEvent -FilterHashTable @{LogName='Security';ID='4726'} -MaxEvents 1 | Format-List

To view this log from the command line with wevtutil, launch powershell or the command prompt as an administrator. Enter the command wevtutil qe Security "q:\*[System [(EventID=4726)]]"

View Logs
Get-WinEvent -FilterHashTable @{LogName='Security';ID='4726'} -MaxEvents 1 | Format-List
Check Logging Status
auditpol /get /subcategory:"computer account management"
Disable Logging
auditpol /set /subcategory:"computer account management" /Success:Disable /Failure:Disable
Enable Logging
auditpol /set /subcategory:"computer account management" /Success:Enable /Failure:Enable
Language: Powershell
View Log Pile