Powershell script to track deleted files

Hi Guys,

I'm trying to track deleted files from our servers. I am able to pull either 560 or 564 using the following:

get-eventlog security | where {$_.eventID -eq 560}

The problem I have is that you need to read both events to make sense of what happened. You need 560 to find out what file was deleted and you need 564 to find out who deleted it.
These are linked by handle id.

Is there a way to pull both 560 and 564 which have the same handle id and group them together?
Also , when you pull event 560 using Powershell it doesn't show the file name and I don't know which property will bring it up, is there a way?

I have limited Powershell knowledge, but I'm guessing that you should be able to pull the 564 events, take the handle id from that event and find the 560 event that goes with it.
Then you just need to group the two together and show only the properties that show which file was deleted, who deleted it, what date and time and from what computer.

Any help would be greatly appreciated.


Who is Participating?
Manpreet SIngh KhatraConnect With a Mentor Solutions Architect, Project LeadCommented:
get-eventlog security | where {$_.eventID -eq 560} | Select-Object -Property MachineName, TimeGenerated, entrytype, source, eventid, message

Not sure how to club them basis the Event source data ... will check if i find something on this.

- Rancy
thomasmulliganAuthor Commented:
Hi Rancy,

Thanks very much, this gives me the details I am looking for.
It would be ideal to be able to pull the 564 event that verifies the delete process has been completed, but what I have will do for now.

Again, thanks for your help.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.