ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows Event Viewer displaying security audit logs with account deletion events on a monitoring dashboard
Event ID 4759InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4759 – Microsoft-Windows-Security-Auditing: User Account Deleted

Event ID 4759 fires when a user account is deleted from the local Security Accounts Manager (SAM) database, providing audit trail for account management activities.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 4759Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Windows Event ID 4759 represents a fundamental component of the Windows security auditing framework, specifically designed to track local user account deletions. When this event fires, it indicates that a user account has been successfully removed from the local SAM database, which stores user account information on standalone computers and member servers.

The event structure includes multiple data fields that provide comprehensive audit information. The Subject section identifies who performed the deletion, including their account name, domain, logon ID, and SID. The Target Account section details the deleted account, including its name, domain, and SID. This dual-tracking approach ensures complete accountability for account management actions.

From a security perspective, Event ID 4759 serves as a critical control point for detecting unauthorized account deletions. Malicious actors often attempt to cover their tracks by deleting accounts they've compromised or created. Regular monitoring of these events helps security teams identify such activities quickly. The event also supports compliance requirements in regulated environments where account lifecycle management must be thoroughly documented.

The timing of this event is crucial - it fires after the account deletion completes successfully but before any cleanup operations occur. This ensures the audit trail captures the action even if subsequent operations fail. The event appears in the Security log with an Information level, making it easily filterable for automated monitoring systems.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Administrator manually deleting a user account through Computer Management console
  • PowerShell cmdlets like Remove-LocalUser executing account deletion
  • Command-line tools such as 'net user [username] /delete' removing accounts
  • Automated scripts or management tools performing bulk account cleanup
  • Group Policy-driven account management policies triggering deletions
  • Third-party identity management systems removing local accounts
  • System administrators cleaning up temporary or service accounts
  • Malicious actors attempting to cover tracks by deleting compromised accounts
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the event details to understand the context of the account deletion.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter the log by clicking Filter Current Log in the Actions pane
  4. Enter 4759 in the Event IDs field and click OK
  5. Double-click on a 4759 event to view detailed information
  6. Review the Subject section to identify who deleted the account
  7. Check the Target Account section to see which account was deleted
  8. Note the timestamp and correlate with any scheduled maintenance or administrative activities
Pro tip: The Logon ID in the Subject section can be correlated with logon events (4624) to trace the complete session that performed the deletion.
02

Query Events with PowerShell

Use PowerShell to programmatically search and analyze account deletion events across multiple systems.

  1. Open PowerShell as Administrator
  2. Query recent account deletion events:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4759} -MaxEvents 50 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
  3. Filter events by specific time range:
    $StartTime = (Get-Date).AddDays(-7)
$EndTime = Get-Date
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4759; StartTime=$StartTime; EndTime=$EndTime}
  4. Extract detailed information from events:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4759} -MaxEvents 10 | ForEach-Object {
    $Event = [xml]$_.ToXml()
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        SubjectUserName = $Event.Event.EventData.Data[1].'#text'
        SubjectDomainName = $Event.Event.EventData.Data[2].'#text'
        TargetUserName = $Event.Event.EventData.Data[5].'#text'
        TargetDomainName = $Event.Event.EventData.Data[6].'#text'
    }
}
  5. Export results to CSV for analysis:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4759} | Select-Object TimeCreated, Id, LevelDisplayName, Message | Export-Csv -Path "C:\Temp\AccountDeletions.csv" -NoTypeInformation
03

Correlate with Related Security Events

Investigate the broader context by examining related events that occurred around the same time as the account deletion.

  1. Identify the Logon ID from the 4759 event details
  2. Search for logon events using the same Logon ID:
    $LogonId = "0x3e7"  # Replace with actual Logon ID from 4759 event
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} | Where-Object {$_.Message -like "*$LogonId*"}
  3. Look for privilege escalation events (4672) associated with the session:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4672} | Where-Object {$_.Message -like "*$LogonId*"}
  4. Check for other account management events in the same timeframe:
    $TimeWindow = (Get-Date).AddHours(-2)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4720,4722,4724,4726,4738,4740,4767,4781; StartTime=$TimeWindow}
  5. Review process creation events (4688) to identify tools used:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688; StartTime=$TimeWindow} | Where-Object {$_.Message -like "*net.exe*" -or $_.Message -like "*powershell*"}
Warning: High-volume environments may generate thousands of events. Use specific time ranges and consider performance impact when running these queries.
04

Implement Automated Monitoring and Alerting

Set up proactive monitoring to detect and alert on suspicious account deletion activities.

  1. Create a scheduled task to monitor for Event ID 4759:
    $Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\MonitorAccountDeletions.ps1"
$Trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 15) -RepetitionDuration (New-TimeSpan -Days 365)
$Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable
Register-ScheduledTask -TaskName "Monitor Account Deletions" -Action $Action -Trigger $Trigger -Settings $Settings -User "SYSTEM"
  2. Create the monitoring script at C:\Scripts\MonitorAccountDeletions.ps1:
    # Monitor for recent account deletions
$LastCheck = (Get-Date).AddMinutes(-20)
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4759; StartTime=$LastCheck} -ErrorAction SilentlyContinue

if ($Events) {
    foreach ($Event in $Events) {
        $EventXML = [xml]$Event.ToXml()
        $Subject = $EventXML.Event.EventData.Data[1].'#text'
        $DeletedAccount = $EventXML.Event.EventData.Data[5].'#text'
        
        # Send alert (customize as needed)
        Write-EventLog -LogName Application -Source "Account Monitor" -EventId 1001 -EntryType Warning -Message "Account deletion detected: $DeletedAccount deleted by $Subject at $($Event.TimeCreated)"
    }
}
  3. Configure Windows Event Forwarding for centralized monitoring:
    winrm quickconfig
wecutil qc
  4. Create a custom event subscription XML file for Event ID 4759 collection
  5. Set up email notifications using PowerShell and SMTP for critical deletions
05

Forensic Analysis and Recovery Planning

Perform detailed forensic analysis when unauthorized account deletions are suspected.

  1. Export all security events for the relevant timeframe:
    $StartTime = (Get-Date "2026-03-15 00:00:00")
$EndTime = (Get-Date "2026-03-18 23:59:59")
Get-WinEvent -FilterHashtable @{LogName='Security'; StartTime=$StartTime; EndTime=$EndTime} | Export-Clixml -Path "C:\Forensics\SecurityEvents_$(Get-Date -Format 'yyyyMMdd').xml"
  2. Analyze the SAM registry hive for deleted account artifacts:
    # Check SAM registry for account remnants
Get-ChildItem "HKLM:\SAM\SAM\Domains\Account\Users" -ErrorAction SilentlyContinue
  3. Review backup systems to identify when the account was last present:
    # Query backup metadata if available
Get-WBBackupSet | Where-Object {$_.BackupTime -ge $StartTime}
  4. Document the incident timeline using event correlation:
    # Create incident timeline
$IncidentEvents = @(4624, 4625, 4648, 4672, 4720, 4726, 4759, 4688)
$Timeline = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=$IncidentEvents; StartTime=$StartTime; EndTime=$EndTime} | Sort-Object TimeCreated
$Timeline | Select-Object TimeCreated, Id, LevelDisplayName, @{Name='Summary';Expression={$_.Message.Split("`n")[0]}} | Export-Csv -Path "C:\Forensics\IncidentTimeline.csv"
  5. Prepare account recovery procedures if the deletion was unauthorized:
    • Restore from Active Directory Recycle Bin if domain-joined
    • Recreate account with appropriate permissions and group memberships
    • Review and restore any associated user profile data from backups
    • Update security policies to prevent similar incidents
Pro tip: Always preserve original event logs before analysis. Use wevtutil epl Security C:\Forensics\Security_Original.evtx to create a backup copy.

Overview

Event ID 4759 is a security audit event that fires whenever a user account gets deleted from the local Security Accounts Manager (SAM) database. This event appears in the Security log and provides critical audit information for tracking account management activities across Windows systems.

The event captures essential details including who performed the deletion, which account was removed, and when the action occurred. This makes it invaluable for security monitoring, compliance auditing, and forensic investigations. The event fires immediately after successful account deletion through any method - whether via Computer Management, PowerShell cmdlets, or command-line tools like net user.

Unlike domain-level account deletions which generate different event IDs, 4759 specifically tracks local account removals. The event includes the Security ID (SID) of both the deleted account and the account that performed the deletion, along with detailed logon session information. This comprehensive logging helps administrators maintain proper oversight of local account management activities and detect unauthorized account deletions.

Frequently Asked Questions

What does Event ID 4759 mean and when does it occur?+
Event ID 4759 indicates that a user account has been successfully deleted from the local Security Accounts Manager (SAM) database. This event fires immediately after any local user account deletion, whether performed through Computer Management, PowerShell cmdlets like Remove-LocalUser, or command-line tools such as 'net user /delete'. The event provides comprehensive audit information including who performed the deletion, which account was removed, and when the action occurred. It's crucial for security monitoring and compliance auditing as it creates an immutable record of account management activities.
How can I identify who deleted a user account using Event ID 4759?+
The Subject section of Event ID 4759 contains detailed information about who performed the account deletion. This includes the Security Account Name, Account Domain, Logon ID, and Security ID (SID) of the user who executed the deletion. You can correlate the Logon ID with Event ID 4624 (successful logon) to trace the complete session. Use PowerShell to extract this information: Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4759} | ForEach-Object { $Event = [xml]$_.ToXml(); Write-Host "Deleted by: $($Event.Event.EventData.Data[1].'#text')" }. The event also includes the target account details in the Target Account section.
Can Event ID 4759 help detect malicious account deletions?+
Yes, Event ID 4759 is excellent for detecting malicious account deletions. Attackers often delete accounts to cover their tracks after compromising systems. Monitor for unusual patterns such as account deletions outside business hours, deletions by accounts that don't normally manage users, or bulk deletions in short timeframes. Set up automated monitoring using scheduled tasks or SIEM systems to alert on these events. Correlate 4759 events with other suspicious activities like failed logon attempts (4625), privilege escalations (4672), or unusual process executions (4688) to identify potential security incidents.
What's the difference between Event ID 4759 and other account-related events?+
Event ID 4759 specifically tracks local user account deletions, while other events cover different account activities. Event ID 4720 logs account creation, 4722 tracks account enabling, 4725 covers account disabling, and 4726 indicates account deletion attempts that failed. For domain environments, different event IDs apply - domain account deletions generate Event ID 4743. Event ID 4759 only appears when local accounts are successfully removed from the SAM database. Understanding these distinctions helps administrators properly interpret audit logs and implement comprehensive account monitoring strategies.
How long are Event ID 4759 records retained and can they be recovered?+
Event ID 4759 records are retained based on your Security log configuration, typically until the log reaches its maximum size and begins overwriting older entries. Default retention varies by Windows version but is often 20MB with overwrite enabled. To extend retention, increase the Security log size via Group Policy or Event Viewer properties. Once overwritten, events cannot be recovered from the local system. However, if you've implemented Windows Event Forwarding, centralized logging, or SIEM solutions, the events may be preserved longer. For compliance environments, consider archiving security logs to meet regulatory requirements. Use wevtutil to export logs: wevtutil epl Security C:\Archive\Security_$(Get-Date -Format 'yyyyMMdd').evtx.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including account management events like 4759https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Windows Event Log Management Best PracticesOfficial Microsoft documentation on event log configuration, retention, and monitoring strategieshttps://learn.microsoft.com/en-us/windows/win32/eventlog/event-logging-best-practices
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4759#security-auditing#account-management

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...