Logs on File Delete in Windows 2000?

Posted on 2006-05-01
Last Modified: 2010-04-13
I have had some files and folders deleted off our Windows 2000 file server, and was wondering if there is a log of who accessed or deleted thes files?  Does windows have a log somewhere of file usage?  I was able to recover them from a backup, but I would love to know who removed these critical files.  Thanks.
Question by:ewessel
    LVL 5

    Expert Comment

    It depends on how the auditing settings were configured, by default Windows 2000 doesn't have file access auditing turned on (there's a performance hit if it's on). If auditing was on for this type of activity it would appear in the Security Event log.
    LVL 5

    Expert Comment

    Addendum: Here's a link to a Q/A on auditing:

    Also MS info on auditing:

    Author Comment

    Ok, I supposedly turned on auditing for one particular directory and all it's subdirectories according to the MS info article on auditing above, but when I try deleting something myself as a test, nothing gets written to the security event logs.  For users on the auditing tab, I used 'Everyone', and only checked success and failure for 'delete' and 'delete subfolders and files'.  Anything else I should do?
    LVL 5

    Expert Comment

    More MS data:

    Note you need to link the 564 event ID with a corresponding 560 event (and there are many 560 events created).

    Here's what a delete looks like from my PC:

    Event Type:      Success Audit
    Event Source:      Security
    Event Category:      Object Access
    Event ID:      560
    Date:            5/2/2006
    Time:            8:37:56 AM
    User:            TFCMASTER\lumd
    Computer:      TLPBXBM3
    Object Open:
           Object Server:      Security
           Object Type:      File
           Object Name:      C:\Connectix drivers\New Text Document.txt
           Handle ID:      1784
           Operation ID:      {0,427479}
           Process ID:      2988
           Image File Name:      C:\WINDOWS\explorer.exe
           Primary User Name:      lumd
           Primary Domain:      DOMAIN
           Primary Logon ID:      (0x0,0x0x0x1)
           Client User Name:      -
           Client Domain:      -
           Client Logon ID:      -
           Accesses:            DELETE
           Privileges:            -
           Restricted Sid Count: 0

    Author Comment

    Ok, now I'm confused more.  I tried following the info in the 'More MS info' link, but I don't even have a 'User manager' under administrative tools on either our Win2k server box or our Win2k3 box.  I suspect this was only a WinNT tool, possibly?  Either way, I'm not getting any 560 events in the Security Event log..

    Oh, and where did you get your 'Here's what a delete looks like from my PC' info?  That might help me to pinpoint what I'm doing wrong...

    Author Comment

    Never mind, I think I see where you got that info..  Unfortunately, like I said, I'm not even getting a 560 event..
    LVL 5

    Accepted Solution

    In the auditing tab make sure you clear the "inherit from parent" box and select "replace auditing on child objects". You can run tests by having the security log open, making adding or deleting in the folder, then refresh the event viewer with F5. I did the same as you and set it for "everyone" but did create and delete sucesses and failures, but you should still be seeng the deletes.

    If it still doesn't work we have heard of auditing needing to be "kicked" by turing on audting at the root of the drive, then turning it back off at the root but I think this only applies if the "inherit from parent" has been checked.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Suggested Solutions

    NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
    Great sound, comfort and fit, excellent build quality, versatility, compatibility. These are just some of the many reasons for choosing a headset from Sennheiser.
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now