Suramya's Blog

Visit suramya.com Who am I?

October 19, 2007

How to find out who deleted a particular file

Filed under: Computer Security,Knowledgebase — Suramya @ 11:35 AM

If you want to know who deleted a particular file in Windows 2003 all you need to do is enable auditing the folder you want to keep track of. Just right click on the folder, go to “sharing and security”, then “security” tab, at the bottom click on “advanced”. Select the auditing tab, click add, select the group or users to track, then pick what actions you want to track.

To track file deletion you would enable:

Create files/Write data Success/Fail
Create folders / append data Success/Fail
Delete Subfolders/Files Success/Fail
Delete Suceess/Fail

Once thats done Windows will log all the information in the security event log.

- Suramya

7 Comments

7 Responses to " How to find out who deleted a particular file "

  1. Wait…a…second…

    So you are actually talking about a “good” feature of windows?!
    Wow!

    Comment by Vinit — October 22, 2007 @ 2:24 AM

  2. Hey… I am not that anti-windows. Windows has its good points, its just that most of them are not usually relevant to what I want/need. As I have said earlier people should use what works for them. If Windows has its good points I mention them. However I also mention the bad points. ;)

    If you think I have been posting a lot more about windows than Linux then the reason is simple: I have been using Windows more often recently (due to work) than Linux so I have hit a lot more issues that annoy me in Windows.

    Whatever happened to the MyRoomMate’s OS idea we talked about a few years ago? You still want to take a shot at it?

    - Suramya

    Comment by Suramya — October 25, 2007 @ 12:38 PM

  3. thanks for the tip… under which log in the event viewer will the delete action show?
    I am useing Windows server 2008

    -Sam

    Comment by Sam — October 10, 2010 @ 4:18 PM

  4. Please refer this site http://linuxos4all.blogspot.com/2010/11/how-to-track-which-files-have-been.html

    Comment by Ranju — March 26, 2011 @ 11:37 PM

  5. Hello,

    Please help me how can i find user how can deleted my windows server 2008 start up script details like images for user desktop.

    last two days i see when user login at client desktop machine there are no desktop images apply so i can check server GPO LOGON policy but its not there .so please tell me how can i find who and how remove it just system problem.

    ~Mehul

    Comment by mehul — August 25, 2011 @ 10:30 AM

  6. Hi Mehul,

    Check the audit log as mentioned in the post. If that doesn’t have the information then I am out of idea’s as I don’t use Windows that much anymore.

    Regards,

    Suramya

    Comment by Suramya — September 5, 2011 @ 4:30 PM

  7. Closing comments as this post gets an average of 200-250 spam comments each day with no actual comments.

    - Suramya

    Comment by Suramya — November 11, 2011 @ 4:41 PM

RSS feed for comments on this post. TrackBack URL

Sorry, the comment form is closed at this time.

Powered by WordPress