top of page
ChatGPT Image Nov 1, 2025, 05_46_53 PM_edited.png

How to Identify Who Deleted Files and Folders on Your Windows Server

Losing important files or folders on a Windows server can cause serious disruptions. Whether the deletion was accidental or intentional, knowing who deleted the data is crucial for troubleshooting, accountability, and preventing future incidents. Windows servers offer built-in tools and logs that help track file and folder deletions, but many administrators overlook these features or find them difficult to interpret.


This guide explains practical steps to discover who deleted files and folders on your Windows server. You will learn how to enable auditing, review logs, and use additional tools to pinpoint the responsible user. By following these methods, you can improve your server’s security and maintain better control over your data.


Enable File and Folder Auditing on Windows Server


Windows servers do not track file deletions by default. To identify who deleted files or folders, you must first enable auditing on the server. This process involves two main steps: configuring audit policies and setting auditing on specific files or folders.


Configure Audit Policies


  1. Open the Group Policy Management Console by typing `gpedit.msc` in the Run dialog.

  2. Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy.

  3. Find Audit Object Access and enable both Success and Failure events.

  4. Apply the changes and close the console.


This setting tells Windows to record events related to file and folder access, including deletions.


Set Auditing on Files or Folders


  1. Right-click the folder or file you want to monitor and select Properties.

  2. Go to the Security tab and click Advanced.

  3. Switch to the Auditing tab and click Add.

  4. Choose the users or groups you want to audit (for example, Everyone).

  5. Select the types of access to audit, such as Delete and Delete Subfolders and Files.

  6. Confirm and apply the settings.


Once auditing is enabled, Windows will log deletion events for the specified files or folders.


Use Event Viewer to Find Deletion Events


After setting up auditing, the next step is to check the Windows Event Viewer for deletion records. The Event Viewer stores detailed logs about system activities, including file operations.


Locate Relevant Events


  1. Open Event Viewer by typing `eventvwr.msc` in the Run dialog.

  2. Navigate to Windows Logs > Security.

  3. Look for events with Event ID 4663. This event indicates an attempt to access an object, including file deletions.

  4. Filter the logs by keywords such as “Delete” or by the file path to narrow down results.


Understand Event Details


Each event includes important information:


  • Subject: The user account that performed the action.

  • Object Name: The file or folder path.

  • Access Mask: The type of access, such as delete.

  • Process Name: The program used to delete the file.


By reviewing these details, you can identify who deleted the file and when.


Use PowerShell to Simplify Log Analysis


Manually searching through Event Viewer can be time-consuming, especially on busy servers. PowerShell scripts can automate the process and extract relevant deletion events quickly.


Here is a simple PowerShell command to find file deletion events in the Security log:


```powershell

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4663} |

Where-Object { $_.Properties[6].Value -like "Delete" } |

Select-Object TimeCreated, @{Name="User";Expression={$_.Properties[1].Value}}, @{Name="File";Expression={$_.Properties[5].Value}} |

Format-Table -AutoSize

```


This command filters events with ID 4663, checks if the access includes deletion, and displays the time, user, and file involved.


Consider Actonix for Advanced Monitoring


While Windows auditing and Event Viewer provide basic tracking, third-party tools can offer more user-friendly interfaces and advanced features such as real-time alerts, detailed reports, and centralized monitoring. Actonix can save time and improve accuracy, especially in larger environments.


Best Practices to Prevent Unauthorized Deletions


Identifying who deleted files is important, but preventing unauthorized deletions is even better. Here are some tips:


  • Limit file and folder permissions to only necessary users.

  • Use Access Control Lists (ACLs) to restrict delete rights.

  • Regularly review audit logs to detect suspicious activity early.

  • Educate users about the importance of data security.

  • Implement backup solutions to recover deleted files quickly.


By combining auditing with good security practices, you reduce the risk of data loss.



 
 
 

Recent Posts

See All
File Server Hygiene for Ransomware Protection

Ransomware attacks are escalating in scale and sophistication, causing crippling financial losses, data breaches, and long-term operational disruption. While many organizations invest heavily in endpo

 
 
 

Comments

bottom of page