The folder’s properties window appears on the screen.
Here is the result of adding custom columns: I will use custom columns to show these details in the list: Event description keeps these details in “subject” group. Now you can just display who deleted files. Note that Linked Filter scans events from top to bottom, so make sure that you sorted events from new to old (our base event will be 4660). You can link them by Object\Handle ID parameter. Event Log Explorer features Linked Filter, which allows you to link events in security log by description parameter. So to get more accurate picture, we should rely upon 4663 events and get details from the previous events. if your file is protected, event 4660 won’t appear. Second, 4663 event occurs on access attempt. First, nobody guaranty that Accesses will be DELETE all the time (although you can try Access Request Information\Accesses Contains DELETE). This method works most of time, but I wouldn’t call it perfect. Now we can see all “file delete” events with file names. So we can just filter security event log by Event ID = 4663 and Access Request Information\Accesses = DELETE (and if you enabled auditing for several folders, but want to check a specific one, you should also add filter by Object\Object Name): You can notice that “Access Request Information” group contains Accesses: DELETE and Access Mask: 10000 parameters. Here is a sample of 4663 event description: An attempt was made to access an object. It can also register event 4656 before 4663). In fact, when a user deletes file, Windows registers several events: 4663 and then 4660. But its event description doesn’t contain the file name: An object was deleted. Microsoft recommends 4GB for most of Windows, but this depends on different factors – I prefer much smaller sizes with autobackup option.Įvent 4660 occurs when someone removes a file or a folder. So be sure that the maximum log size for Security log is set to a reasonable value (or you have a chance to lose old events). If you correctly setup file access auditing for your shared folder, “File system” events will appear in Security log on every attempt to open file inside the folder.
#File copy log windows 10 how to#
This article describes how to setup security auditing and audit file access and logon events. Of course, you should do it right after creating a shared folder and granting access to it (post factum setup won’t help you). Now we need to detect the person who removed the files.įirst, you need to setup Windows security auditing to monitor file access (and optionally logon) events. Usually this means that someone deleted these files (consciously or unconsciously). One day you discover that some files unexpectedly disappeared from the shared folder. The users commonly copy some documents into this folder to let the others to work with these shared documents. Let’s assume you have a shared folder on a server which is accessible by all employees in your company.
0 kommentar(er)
