> For the complete documentation index, see [llms.txt](https://nk0.gitbook.io/dfir/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://nk0.gitbook.io/dfir/windows/misc/investigating-specific-activity/user-account-deleted.md).

# User Account Deleted

### Event IDs 4720 (creation) and 4726 (deletion)

Logs In Windows 7, Event Logs are located in %SystemRoot%\system32\winevt\logs. We used Logparser to inspect the Windows Event Logs. Logparser is a power-full utility that is capable of querying text-based logs.

We utilized this tool to extract information about deleted accounts. Every event in the Event Logs has an event ID that distinguishes it from other events. For example, account creation and deletion events have eventID values equal to 4720 and 4726, respectively. Based on the event ID value of the account creation, we can extract information about all created users. In addition, because we are interested in recovering deleted accounts, we can extract all these accounts based on their eventID. Because of the fact that events in the event logs are tied to user SID (Security Identifies),we first need to extract the SIDs of all deleted users. Then, we can utilize the extracted SIDs as a cross-reference into all events of event logs. To extract the username, SIDs, and deletion dates of all deleted accounts and save them into a file named delusers.txt, we ran the following query:

{% code overflow="wrap" %}

```
logparser -i:evt -resolveSIDs:on -o:nat -rtp:20 "select extract_token(strings, 0, ’|’) as user,extract_token(strings, 2, ’|’) as SecID,to_date(timegenerated) as deletiondateinto delusers.txtfrom security where eventid = 4726logparser -i:evt -resolveSIDs:on -o:nat -rtp:20 "select extract_token(strings, 0, ’|’) as user,extract_token(strings, 2, ’|’) as SecID,to_date(timegenerated) as deletiondateinto delusers.txtfrom security where eventid = 4726
```

{% endcode %}

The above query can be modified to only ex-tract the SIDs of deleted users and store them into deluserssid.txt file that will be utilized later. Furthermore, other kinds of events such as log-in,log-off, and password changing can also be extracted the same way. For example, to extract all events which are tied to deleted users, we wrote the following query which utilizes the SIDs for deleted users. The output of the query goes into a file named delsecurity.txt.

{% code overflow="wrap" %}

```
FOR /F "skip=2 tokens=* delims=" %%i in (deluserssid.txt)do (LogParser -i:evt -resolveSIDs:on -o:nat -rtp:20"select EventID,TimeGenerated,SourceName,EventCategoryName,Message into delsecurity.txtfrom security where strings like ’%%%%i’"
```

{% endcode %}

### User's Home Directory

The directory may still exist. We can check evidence by looking into users folder to see if any artifacts are left over.

* C:\Users\USERNAME
* C:\RECYCLE.BIN\SID


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://nk0.gitbook.io/dfir/windows/misc/investigating-specific-activity/user-account-deleted.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.