Friday, July 07, 2006

How to audit and track file deletions

  • Enable Audit Policy: On the machine where you want to track file deletion, go to Administrative Tools->Local Security Policy->Audit Policy , double click "Audit Object Access" on the right pane and switch-on "Success" & "Failure".
  • Enable auditing for user/group: You'll need to enable and add user/security group for auditing on the folder which needs to be captured for file deletion.
    • Right click on the target folder (ex. C:\Program Files\Honeywell), select Properties and go to Security Tab.
    • Click on Advanced , and select Auditing Tab.
    • Add here the security group which would include the user who you think might be deleting the file. If you are not sure, include EVERYONE .
    • On the next screen select "Successful" & "Failed" on "Delete subfolders and files" & "Delete". Apply new settings and exit from properties.
  • These configurations will generate file/folder access audit logs for the configured folder in Securit Event Logs . Since we are interested in only the logs that show details of file/folder deletions, we'll need to look for Security Logs with event ID 560 .
  • Any file deletion operation will generate two events with event ID 560. After you've realized that your target file has been deleted, you'll need to filter the security log view to show only logs with event ID 560 (right click on Event Viewer->Security, select Filter...).
  • If you quickly want to find out if your configured machine generated any file deletion event log, run the following command on your own (networked) machine. This will work only on XP and above, therefore, you can use this to query for security logs from Windows 2000 machines. Run cscript //h:cscript //s //nologo at least once on your system before executing the following command.

eventquery.vbs /S <Target_System_Name> /FI "ID eq 560" /L Security /V
/FI : Filter
/L : Log name {Application | Security | System}
/V : Verbose output

To know more about the above command, read here

  • A typical security log with file deletion details will look something like this:

Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
User: GKY\Raj
Computer: GKY
Object Open:
Object Server: Security
Object Type: File
Object Name: D:\Test\testdoc.txt
Handle ID: 1756
Operation ID: {0,3190200}
Process ID: 4040
Image File Name: C:\WINDOWS\explorer.exe
Primary User Name: Raj
Primary Domain: GKY
Primary Logon ID: (0x0,0x40C41)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: DELETE



  • Ensure that security log is set not to overwrite itself, and has sufficient size to hold logs spanning many days. You can configure these settings by right-clicking on Security subfolder inside Event Viewer.
  • You might want to test these settings by deleting few files yourself before assuming it'll deliver what you expect!

Update:Just found a better alternative to built-in Event Viewer -


John said...

Hi Raj,

In regards to "Ensure that security log is set not to overwrite itself, and has sufficient size to hold logs spanning many days", I think that's a very important point, because so often, due to incorrectly configured settings, logs just roll over and potentially vital information gets lost!

By the way, I'm a Windows Security Analyst as well, and often blog on Active Directory Security stuff. If you have a few minutes, please feel free to drop by!


Anonymous said...

Nice article , we can also look at

AGreenhill said...

I logged in as admin and still, this does not exist: Administrative Tools->Local Security Policy->Audit Policy

Probably because it's Win8.1.. you should specify that your instructions are not for the latest windows version.

AGreenhill said...

.. per my previous comment about this article not applying to Win8.1, I have found that it simply doesn't apply to Win8.1 standard edition. You will require a Pro version to control your OS.

Unknown said...

A great information shared. Thanks for such informative blog.
In my circumstance, I use LepideAuditor for file server( ) to track the changes made in file server. It provides captured auditing data in real time at granular level. It could be a good alternative against PS usage while wish to audit changes automatically.

Unknown said...

1. First, you need to setup Windows security auditing to monitor file access (and optionally logon) events.
2. If you correctly setup file access auditing for your shared folder, “File system” events will appear in Security log on every attempt to open file inside the folder.
3. Event 4660 occurs when someone removes a file or a folder. But its event description doesn’t contain the file name.
4. In fact, when a user deletes file, Windows registers several events: 4663 and then 4660. It can also register event 4656 before 4663.
5. See this article to Tracking down who removed files (

GGid Vlog said...

I cant find security tab on folder properties on D drive... Why?

aJ said...

What’s the file system? Security tab will appear only for NTFS.