[Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2252
  • Last Modified:

Powershell script to track deleted files

Hi Guys,

I'm trying to track deleted files from our servers. I am able to pull either 560 or 564 using the following:

get-eventlog security | where {$_.eventID -eq 560}

The problem I have is that you need to read both events to make sense of what happened. You need 560 to find out what file was deleted and you need 564 to find out who deleted it.
These are linked by handle id.

Is there a way to pull both 560 and 564 which have the same handle id and group them together?
Also , when you pull event 560 using Powershell it doesn't show the file name and I don't know which property will bring it up, is there a way?

I have limited Powershell knowledge, but I'm guessing that you should be able to pull the 564 events, take the handle id from that event and find the 560 event that goes with it.
Then you just need to group the two together and show only the properties that show which file was deleted, who deleted it, what date and time and from what computer.

Any help would be greatly appreciated.


1 Solution
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
get-eventlog security | where {$_.eventID -eq 560} | Select-Object -Property MachineName, TimeGenerated, entrytype, source, eventid, message

Not sure how to club them basis the Event source data ... will check if i find something on this.

- Rancy
thomasmulliganAuthor Commented:
Hi Rancy,

Thanks very much, this gives me the details I am looking for.
It would be ideal to be able to pull the 564 event that verifies the delete process has been completed, but what I have will do for now.

Again, thanks for your help.


Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now