Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Logs on File Delete in Windows 2000?

Posted on 2006-05-01
9
Medium Priority
?
160 Views
Last Modified: 2010-04-13
I have had some files and folders deleted off our Windows 2000 file server, and was wondering if there is a log of who accessed or deleted thes files?  Does windows have a log somewhere of file usage?  I was able to recover them from a backup, but I would love to know who removed these critical files.  Thanks.
0
Comment
Question by:ewessel
  • 4
  • 3
7 Comments
 
LVL 5

Expert Comment

by:The_IT_Garage
ID: 16577211
It depends on how the auditing settings were configured, by default Windows 2000 doesn't have file access auditing turned on (there's a performance hit if it's on). If auditing was on for this type of activity it would appear in the Security Event log.
0
 
LVL 5

Expert Comment

by:The_IT_Garage
ID: 16577246
Addendum: Here's a link to a Q/A on auditing:
http://tinyurl.com/hja5n

Also MS info on auditing:
http://tinyurl.com/8ou2x
0
 

Author Comment

by:ewessel
ID: 16585988
Ok, I supposedly turned on auditing for one particular directory and all it's subdirectories according to the MS info article on auditing above, but when I try deleting something myself as a test, nothing gets written to the security event logs.  For users on the auditing tab, I used 'Everyone', and only checked success and failure for 'delete' and 'delete subfolders and files'.  Anything else I should do?
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
LVL 5

Expert Comment

by:The_IT_Garage
ID: 16587740
More MS data: http://tinyurl.com/lwdhn 

Note you need to link the 564 event ID with a corresponding 560 event (and there are many 560 events created).

Here's what a delete looks like from my PC:

Event Type:      Success Audit
Event Source:      Security
Event Category:      Object Access
Event ID:      560
Date:            5/2/2006
Time:            8:37:56 AM
User:            TFCMASTER\lumd
Computer:      TLPBXBM3
Description:
Object Open:
       Object Server:      Security
       Object Type:      File
       Object Name:      C:\Connectix drivers\New Text Document.txt
       Handle ID:      1784
       Operation ID:      {0,427479}
       Process ID:      2988
       Image File Name:      C:\WINDOWS\explorer.exe
       Primary User Name:      lumd
       Primary Domain:      DOMAIN
       Primary Logon ID:      (0x0,0x0x0x1)
       Client User Name:      -
       Client Domain:      -
       Client Logon ID:      -
       Accesses:            DELETE
                  READ_CONTROL
                  ReadAttributes
                  
       Privileges:            -
       Restricted Sid Count: 0
0
 

Author Comment

by:ewessel
ID: 16588938
Ok, now I'm confused more.  I tried following the info in the 'More MS info' link, but I don't even have a 'User manager' under administrative tools on either our Win2k server box or our Win2k3 box.  I suspect this was only a WinNT tool, possibly?  Either way, I'm not getting any 560 events in the Security Event log..

Oh, and where did you get your 'Here's what a delete looks like from my PC' info?  That might help me to pinpoint what I'm doing wrong...
0
 

Author Comment

by:ewessel
ID: 16588956
Never mind, I think I see where you got that info..  Unfortunately, like I said, I'm not even getting a 560 event..
0
 
LVL 5

Accepted Solution

by:
The_IT_Garage earned 500 total points
ID: 16590261
In the auditing tab make sure you clear the "inherit from parent" box and select "replace auditing on child objects". You can run tests by having the security log open, making adding or deleting in the folder, then refresh the event viewer with F5. I did the same as you and set it for "everyone" but did create and delete sucesses and failures, but you should still be seeng the deletes.

If it still doesn't work we have heard of auditing needing to be "kicked" by turing on audting at the root of the drive, then turning it back off at the root but I think this only applies if the "inherit from parent" has been checked.
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
A Case Study of using the Windows API to provide RS232 communications capability in Access without the use of Active-X controls.
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
Kernel Data Recovery is a renowned Data Recovery solution provider which offers wide range of softwares for both enterprise and home users with its cost-effective solutions. Let's have a quick overview of the journey and data recovery tools range he…
Suggested Courses

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question