Subscribe

Get the Network Administrators tool pack

Subscribe to our newsletter and get 11 free network administrator tools, plus a 30 page user guide so you can get the most out of them.

Click Here to get your free tools

Recent Posts

Search

Archives

Use auditing to track who deleted your files

by Steve Wiseman on March 21, 2008 · 28 comments

in Windows


.

I had a reader write me a few days ago:

…I’m in a school environment and a student has deleted some files and I would like to know how I can do this in Win2k server to catch this sucker. Please advice and more power to you.

This can be accomplished through auditing. Lets start out by identifying what folder we want to watch – and be careful where you turn on auditing…turn it on too many folders with too many options and you can have huge performance issues.

We find the folder we want, and right click on it and go to properties

Audit For Deleted Files Properties

This will bring up the properties page for the folder. Move over to the security tab, and click on the advanced button:

Audit For Deleted Files Properties Page

The advanced page will appear. Click on the Auditing tab, and click the add button:

Audit For Deleted Files Advanced

A user dialog will come up. I chose to put the “Everyone” group here. This allows me to audit for any possible user account that may be deleting files. If you think you know who it might be…you could put those users here instead. The smaller window of users being audited means better performance.

Audit for Deleted Files User Selection

Once you click OK, a selection box will be displayed. Again – chose only the options you need. Each additional option will reduce performance. Here I just pick the options to audit deleting files and folders

Audit For Deleted Files Event Selection

Click OK through all of the windows you have open. If a user deletes a file or folder Windows will write an event to the security log.

Now. We have our auditing turned on, and you get to work one morning and find that files are missing. Simply open the event viewer and move over to the security log. Look for the event ID 560:

Audit For Deleted Files Security Event 560

Double click on the event, and you will need to sit there and read it for a little bit to determine who did what. Here is an excerpt from mine (I copied the text from event viewer to notepad for easier reading)

Audit For Deleted Files Security Event 560 View

We can see from this log entry that the user Administrator deleted the file setuperr.log

Now when someone deletes a file, you will have no problem determining who did it.

If you have a windows administration question, or an idea for a utility please send me an email at support@intelliadmin.com. I can’t promise that I will answer every email, but I try to read them all.

One more thing…Subscribe to my newsletter and get 11 free network administrator tools, plus a 30 page user guide so you can get the most out of them. Click Here to get your free tools

Related Articles:

{ 28 comments… read them below or add one }

1 alcatraz November 6, 2009 at 10:33 pm

is this applicable with in a domain?

Steve Says:

Yes, this will work in a domain environment also

2 jay November 17, 2009 at 5:21 pm

Is it possible to put an intervention before moving the folder like “do you want to move or copy files from this folder. by doing this the user has to reply yes or no before the folder moves.

Thanks,

3 Steve Wiseman November 17, 2009 at 6:29 pm

No. You would need to disable read, write, or delete permissions to do what you want to accomplish.

4 Andy December 18, 2009 at 7:24 pm

Thanks for the instruction above but this setup is for future incidents.
I have a file that was already deleted. How can I track down who deleted my directory/file? I was able to recover them from my backups but I need to track down who did it. Audit was never turned on.

5 Steve Wiseman December 18, 2009 at 7:32 pm

I don’t think there is any way to know who deleted it. Without auditing turned on, there are no logs of who deleted the file.

6 Andy December 18, 2009 at 8:04 pm

Thanks Steve!

7 Francesco February 12, 2010 at 3:18 am

Pay attenction that this log is write also if you create a folder. Where you read delete is the type pd permission not the action that the users made

8 jojiepl01 February 17, 2010 at 5:33 am

My concern is to monitor who, what and when a certain file/s was deleted in a shared folder inside a domain controlled invironment. I have done the above instruction with the CPU that has the shared folder (local) and tried it by copying and deleting files inside the monitored shared folder from a remote CPU with an iterval of 10 sec from copying to deleting. Then i went back to the local computer and open the local event viewer. Their was no 560 in the Event ID during that time, most are 538 and 540. Is there any thing else that i may have left undone, or should i do something more in configuring this utility. This is a very hekfull utility and i realy would like to use it, Please help.

Thanks in advance,

jojie

9 Mark March 3, 2010 at 12:00 pm

Did you disable auditing via group policy? That would cause auditing to fail if configured locally.

10 JC March 25, 2010 at 2:48 pm

auditing needs to be on in two places. server (an Mark indicates) and file/folder (as this article describes). look for 560 (has file name) and 564 (delete confirmation) together to confirm the delete.
http://support.microsoft.com/kb/174074

11 Brian B June 3, 2010 at 1:10 pm

JC posted the wrong KB: http://support.microsoft.com/kb/325898 will tell you how to turn on auditing for the server, then you will need to follow the above blog post for a particular folder.

12 Steve Wiseman June 3, 2010 at 1:18 pm

Awesome – Thanks for the link!

13 Rod January 10, 2011 at 11:44 am

This shit does not work. It just fills my sec.event log with events 560 and 562 but it does not tell me the folders I deleted.

14 IT Pro Doc September 8, 2011 at 8:33 pm

Use Netwrix. You’ll have to pay for it though. The file/folder monitoring starts at $85 per server.

15 devin March 14, 2012 at 8:03 pm

I filter for event 4663 which has both username and filename.

16 Steve Wiseman March 14, 2012 at 9:25 pm

Thanks for the post Devin – great suggestion.

17 Mala April 2, 2012 at 8:08 am

Hi, how to check, who delete windows 7 profile.

18 Steve Wiseman April 2, 2012 at 9:17 am

I don’t think there is a way to do that….unless you have auditing on the system files..even then it might show up as ‘system’

19 stalin August 21, 2012 at 11:49 am

hey steve its not working for me i am using windows 2003 and domain controller, the event log will take any prefer time to update the database ?

20 Steve Wiseman August 21, 2012 at 12:08 pm

It should work almost right away. The usual ‘gotcha’ is the user accounts that you pick for auditing. What accounts did you specify? The exact account names, or a generic group like “Domain Users” or “Everyone” The latter two seem to have trouble with auditing. I still am not sure why, but they do not show up.

21 stalin August 23, 2012 at 11:13 am

hey i used everyone and also particular group where all the users listed but still its not working … we need to do any update on AD?

22 mjackson September 13, 2012 at 11:48 am

I have added auditing to file locations yet I receive no events with an ID of 560 or the mentioned 4663.

Running Win7-64bit, I am wondering if the event ids changed. The only event IDs I have in my “event viewer>windows logs>security log” are 4611, 4624, 4634, 4656, 4658, 4672, 4673, 4701, 4702, 4907, 4985, 5140, 5145, 5156, 5158, and 6281.

Am I looking in the wrong place or is there an additional setting that I need to check?

23 Sok Sabay December 28, 2012 at 4:43 am

Hello, Does it work for workgroup with windows server 2003 standard R2? Does we do before delete file? I did already but it does not work. Thanks

24 Onno March 29, 2013 at 5:39 am

Looks ok. Doesn’t work on Windows 2008 server. Such event id 560 won’t be there.

25 Andrei Silkou April 23, 2013 at 4:32 pm

id 4656 (win 2008) = 560 (win 2003)

26 Andrei Silkou April 23, 2013 at 4:35 pm

and other id (on russian)
http://support.microsoft.com/kb/977519/ru

27 Steve Wiseman April 23, 2013 at 10:44 pm

Thanks for the updated info Andrei – really appreciate it!

28 Andrei Silkou May 18, 2016 at 1:32 pm

Leave a Comment

Category Links - Windows Forum - Exchange Forum