If you are suspecting a user, process, virus, malware, or hacker deleting your files, you don’t have to buy expensive software to track what is deleting files. You can keep track of anything that deleted your files using Windows auditing. You need to have Windows Professional or better (Home will not work) to use this solution, though.
The guide below is made for Windows 10 but should be very similar to follow in Windows 7. Windows servers are also a bit different where you have to enable the audit object access settings via GPO.
First off, we need to enable auditing for object access. To do this, open up your administrative tools, by searching it after pressing your windows button, or going here:
Control Panel\System and Security\Administrative Tools
Double click on the local security policy icon.
Now, go into Security Settings -> Local Policies -> Audit Policy and double click on Audit Object Access, check both success and failure and press save.
Alright, step one is done. Now, go to the folder or file you want to monitor (Desktop in our example below), and right click and press properties, then go to the security tab and press “Advanced”
Now, go to the auditing tab and press “Advanced”
Press “Add”, then click on “Select a Principal”, then type “Everyone” (you can optionally press check names here if you’d like), then press OK. You can also choose to monitor specific users here if you’d like by typing in their usernames.
Now, press “Show advanced permissions”
Check only the “Delete subfolders and files” and “delete” options, and press Ok.
Press OK again and it should populate the settings for everything in the folder you selected.
Now go into your folder and make a test file (E.g. “deletetest.txt”), then delete it. Type in “Event” in your search bar and open your event viewer.
Now, press “Create Custom View”, then select “By source” under the filter tab, then scroll down and select “Microsoft Windows Security Auditing.” In the task category field select “File System,” and then for keywords select “Audit Failure” and “Audit Success”, then press OK.
Give it a name like “Deleted files filter”
Alright, now right click your new filter and press on “find”, then search the name of the file that was deleted:
Now, you should see an event log related to who or what deleted your file!
Thanks a lot for this. Helped me to find which app was deleting my Dropbox files by the thousands. I wouldn’t have found out in a million years otherwise. Was ready to quit Dropbox.