filesystems - How can I find out which process deleted a file in a Windows environment?

06
2014-04
  • pjacko

    I use AllwaySync to synchronize a large number of music files across two external drives attached to Windows machines. Recently, several thousand of the files were deleted from one of the drives, and I'd like to determine the cause of this. Is there a way I can determine which process was responsible for the deletions? I know the approximate date and time of the event from looking at the AllwaySync high level log.

    • Answers
  • Angstrom

    You can't do that post-mortem, sorry.

    You can capture and record future deletions though. The keyword is "audit" and Windows has comprehensive support for auditing all sort of events including file deletions. There's more than one way to enable this, see for example here.

    Alternatively, you can use Microsoft's ProcMon to monitor all system activity in real-time and set its filter to show only file deletions.


    • Related Question

    windows - How can I create a script to delete a file?
  • Ivo Flipse

    I have a file in a given folder that I want to delete by either running a script or clicking on some shortcut, but I have no idea how to do so.

    So if the file is in C:\Program Files\Our crappy software\file to be deleted.txt

    How would I have to do this by preferably not using additional software like AutoHotKey and only on Windows systems.


    • Related Answers
  • William Hilsum

    Open up notepad and copy the following in to it:

    Del C:\"Program Files"\"Our crappy software"\"file to be deleted.txt"

    Save this as either a .cmd or .bat file.

    Run it!

    You can either double click or place a shortcut.

    This will allow you to delete from anywhere, alternatively you can use:

    Del "file to be deleted.txt"

    as long as the working directory is correct, but it is best to use actual paths.

    FYI - you do not need quotes for one word names, you just use them where there is a space, alternatively, you can use the old 8.3 file format (for example, go to command prompt and a directory with long files and type dir /x then you can use file~1 instead of "file to be deleted.txt"

  • JT.WK

    if i am understanding the question correctly, you could write a batch script to solve your problem.

    something along the lines of:

    del "C:\Program Files\Our crappy software\file to be deleted.txt?" /< options>

    or something similar.