Auditing file deletions only


Jason Roth


Recently I wanted to start auditing when certain folders
and files are deleted. I did the following:

1) Enabled success/failure on the domain policy
for "object access", and refreshed the machine policy on
the DC's

2) Went to the share in question, and enabled auditing for
the everyone group, and chose to audit success/failure
for "delete" and "delete folders and files". I propogated
the auditing entries all the way down the folder structure.

Now, when a user deletes a file, I get events 560,562, and
564 recorded. 560 and 562 have nothing to do with
deletion, so I have no clue why they are being recorded.
564 is the actual deletion audit entry, but it is useless
because it doesn't indicate the user and file in
question. Supposedly event 563 is what indicates the file
deletion and the user in question, but this is not
appearing in the logs! What am I missing??

Steven L Umbach

From what I can tell there is no one event recorded that will tell the file deleted
and the user name. However you should notice that a event 564 object deleted entry
is preceded by an event 560 object open entry with the same timestamp and that event
560 contains the name of the file and the user. --- Steve


The only problem is that in many cases, the file recorded
in the 560 event that is followed by the 564 event has not
been deleted. I've been informed that the 563 event is
the real indicator of deletion.

Why did Microsoft make something that should be so simple,
so complex and frustrating?


Steven L Umbach

My reference book "Microsoft Windows Security Resource Kit" lists event ID 563 as an
attempt was made to open an object with intent to delete it, however I have not seen
an event ID 563 on my computer so I can't comment on what it contains and it is
curious that neither one of us has seen it though we have seen event ID 564 that
indicates a deletion - at least to my experience. I agree it would be nice to see a
single event recorded, but I have only been able to pint it down to 560/564 pairs as
an indication of a file being deleted and by who. Maybe you are actually seeing a
file deletion, but it does not appear that way because it was a file modification in
which the original file was deleted while the modified version was saved with the
same name. --- Steve

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question