Share via


How to Detect Who Deleted a File from Your File Server

Why It Is Important

If a file on your server is deleted maliciously or by mistake, it can lead to losses of sensitive data and the inability of users to access the information they are intended to use, both of which may result in additional troubles for IT staff.
**
Native Auditing**

**1. **Navigate to the required file share, right-click it and select "Properties" Select the "Security" tab → "Advanced" button → "Auditing" tab → Click "Add" button and select:

  • Principal: "Everyone"; 
  • Type: "All"; 
  • Applies to: "This folder, subfolders and files"; 
  • Advanced Permissions: "Delete subfolders and files" and "Delete".

**2. **Run gpedit.msc Edit → "Default Domain Policy" → Computer Configuration → Policies → Windows Settings → Security Settings → Go to Local Policies → Audit Policy:

  • Audit object access → Define → Success and Failures.

**3. **Go to "Advanced Audit Policy Configuration" → Audit Policies → Object Access:

  • Audit File System → Define → Success and Failures
  • Audit Handle Manipulation → Define → Success and Failures.

**4. **Go to Event Log → Define:

  • Maximum security log size to 1gb
  • Retention method for security log to Overwrite events as needed.

**5. **Open Event Viewer and search Security log for event id 4656 with "File System" or "Removable Storage" task category and with "Accesses: DELETE" string. "Subject: Security ID" will show you who has deleted a file.

https://img.netwrix.com/howtos/event_4656.png

6. Real Life Use Case Video: 
View

7. Credits: Originally posted - https://www.netwrix.com/how_to_detect_who_deleted_file.html