How to Track File Deletion Events on Windows Server 2003 Using Audit Policies and Scripts


2 views

When critical files keep vanishing from production servers without explanation, it creates both operational headaches and security concerns. On Windows Server 2003 SP2, we have several effective ways to monitor and track file deletion events. Let's explore the most practical approaches.

The most reliable method uses Windows' built-in audit policies. Here's how to configure it:

# Configure audit policy via command line
auditpol /set /subcategory:"File System" /success:enable /failure:enable

# Alternative GUI method:
1. Open Local Security Policy (secpol.msc)
2. Navigate to: Local Policies → Audit Policy
3. Enable "Audit object access" for both success and failure
4. Right-click the target file → Properties → Security → Advanced → Auditing
5. Add entries for "Everyone" with "Delete" and "Delete subfolders and files" permissions

Once configured, deletion attempts will appear in the Security log (Event Viewer). Look for Event ID 560 (object access) or 562 (handle closed).

For real-time monitoring, create this PowerShell script (save as monitor.ps1):

$watcher = New-Object System.IO.FileSystemWatcher
$watcher.Path = "C:\\path\\to\\folder"
$watcher.Filter = "protected_file.txt"
$watcher.IncludeSubdirectories = $false
$watcher.NotifyFilter = [System.IO.NotifyFilters]::FileName

$action = {
    $details = $event.SourceEventArgs
    $changeType = $details.ChangeType
    $name = $details.Name
    $time = $event.TimeGenerated
    
    $user = (Get-WmiObject -Class Win32_Process -Filter "ProcessId = $($event.SourceEventArgs.SourceIdentifier)").GetOwner().User
    
    Add-Content "C:\\logs\\file_monitor.log" -Value "$time - $changeType - $name - by $user"
}

Register-ObjectEvent $watcher "Deleted" -Action $action

while ($true) { Start-Sleep -Seconds 1 }

Several free tools can help when native solutions aren't sufficient:

  • Process Monitor from Sysinternals: Filters for file system operations
  • FileAudit by ISDecisions: Specialized for tracking file access
  • WinDirStat: Helps identify when files disappear from directory structures

When reviewing Security logs, focus on these key fields:

Event ID: 560
Object Type: File
Object Name: C:\\path\\to\\file.txt
Handle ID: (matches corresponding 562 event)
Process ID: Cross-reference with Task Manager or "tasklist" command
Access Mask: 0x10000 indicates delete operation

Beyond monitoring, consider these protective steps:

# Make the file read-only
attrib +r C:\\path\\to\\file.txt

# Restrict delete permissions
icacls C:\\path\\to\\file.txt /deny Everyone:(DE)

When critical files keep vanishing without explanation on production servers, it creates both operational headaches and security concerns. On Windows Server 2003 SP2 (32-bit), several approaches exist to track file deletion events.

First, enable object access auditing through Group Policy:

1. Open gpedit.msc
2. Navigate to: Computer Configuration → Windows Settings → Security Settings → Local Policies → Audit Policy
3. Enable "Audit object access"
4. Right-click the target file → Properties → Security → Advanced → Auditing
5. Add audit entries for "Everyone" with "Delete" permissions

Events will appear in Security Event Log (Event ID 560 for access, 562 for handle closure).

For real-time monitoring, use this PowerShell script that leverages WMI events:

$query = @"
SELECT * FROM __InstanceDeletionEvent 
WITHIN 10 
WHERE TargetInstance ISA 'CIM_DataFile' 
AND TargetInstance.Name = 'C:\\\\path\\\\to\\\\file.ext'
"@

Register-WmiEvent -Query $query -Action {
    $deletedFile = $event.SourceEventArgs.NewEvent.TargetInstance
    $timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
    $logEntry = "[$timestamp] File deleted: $($deletedFile.Name)"
    Add-Content -Path "C:\\logs\\file_deletions.log" -Value $logEntry
    
    # Optional email alert
    Send-MailMessage -To "admin@domain.com" -Subject "File Deletion Alert" -Body $logEntry
}

For more robust solutions consider:

  • Sysinternals Process Monitor - Filter for file system operations
  • FileAudit (Commercial) - Real-time monitoring with alerts
  • Watchdog - Open-source file system monitor

When investigating:

  1. Check Scheduled Tasks for suspicious entries
  2. Review recent software installations
  3. Examine antivirus logs (false positives sometimes delete files)
  4. Cross-reference deletion times with employee schedules

Beyond monitoring:

# Set immutable flag using fsutil (Windows 2003 R2+)
fsutil behavior set disablelastaccess 1
fsutil file setflag "C:\path\to\file.ext" readonly

# Set restrictive permissions
icacls "C:\path\to\file.ext" /deny Everyone:D