File OR folder from windows operating system (client/OS) might miss due to many different reason. A user may logon to system interactively OR remotely then delete the file OR a malicious process may also delete the file. If you are unsure who is deleting files/folder then windows auditing is the best way to figure this out.
Follow this sequence to understand the concepts.
Enable windows auditing from Local Security Policy (run – secpol.msc). If you are doing against multiple servers then edit group policies from domain controller.
You can use following PowerShell to automate this step.
secedit /export /cfg c:\secpol.cfg (gc C:\secpol.cfg).replace("AuditObjectAccess = 0", "AuditObjectAccess = 3") | Out-File C:\secpol.cfg secedit /configure /db c:\windows\security\local.sdb /cfg c:\secpol.cfg /areas SECURITYPOLICY rm -force c:\secpol.cfg -confirm:$false
Update group policy using following command.
gpupdate /force
Select folder that needs to be audited. In my example, I am enabling auditing for Delete action on c:\temp\temp folder
You can use below PowerShell
#Uncomment if foder you intending to be audited isn’t created so far. #New-Item -type directory -path C:\temp\temp $Folder= "c:\temp\temp" $ACL = Get-Acl $Folder $ar1 = New-object System.Security.AccessControl.FileSystemAuditRule ("EveryOne","Delete","3") $Acl.SetAuditRule($ar1) Set-Acl $Folder $ACL
Now if anyone (user/process) delete your file then event will be generated in your event viewer. For e.g. I am deleting File1.txt using windows explorer (right click \delete) second file using PowerShell.
RM -Force C:\Temp\TEMP\File2.txt -Confirm:$false
Open Event viewer and search Security log for Event ID 4656 with “File System” task category and with “Accesses: DELETE” string. “Subject: XXXX” will show you who has deleted a file.
Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: MM/DD/YYYY HH:MM:SS Event ID: 4656 Task Category: File System Level: Information Keywords: Audit Success User: N/A Computer: server.domain.local Description: A handle to an object was requested. Subject: Security ID: domain\user1 Account Name: user1 Account Domain: domain Logon ID: 0x98B5C Object: Object Server: Security Object Type: File Object Name: C:\Temp\Temp\File2.txt Handle ID: 0x774 Resource Attributes: - Process Information: Process ID: 0x4c4c Process Name: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Access Request Information: Transaction ID: {00000000-0000-0000-0000-000000000000} Accesses: DELETE ReadAttributes Access Reasons: DELETE: Granted by D:(A;ID;FA;;;BA) ReadAttributes: Granted by D:(A;ID;FA;;;BA) Access Mask: 0x10080 Privileges Used for Access Check: - Restricted SID Count: 0
OR you can below basic PowerShell to query system event viewer log.
Get-EventLog -LogName Security -InstanceId 4656