Windows事件日志已删除文件信息
[英]Windows Event log Deleted files Information
问题描述
How can I get information of deleted file(s) in Windows,which a user deleted file/folder over share network? 
如何在Windows中获取已删除文件的信息,即用户通过共享网络删除了文件/文件夹?
Is there a place where Window Logs all such information. Window是否在其中记录了所有此类信息。 If yes then where? 如果是,那么在哪里?
Can we trace such detail programmatically using c# ? 我们可以使用c#以编程方式跟踪此类详细信息吗?
1 个解决方案
解决方案1
1 2016-02-01 08:29:03
No, there is normally no evidence after the fact of file deletion activity. 不,在文件删除活动发生后,通常没有证据。 There are no logs made unless you have an application that does the logging. 除非您有执行日志记录的应用程序,否则不会进行任何日志记录。
If you need to track file deletions you can do so using the FileSystemWatcher class. 如果需要跟踪文件删除,可以使用FileSystemWatcher类进行。 It will only tell you what is changed however not who did the changes, and will only track changes on the local filesystem. 它只会告诉你什么改变但是没有谁做的修改,并且只记录在本地文件系统的变化。 For a network share that means you have to be running on the server that hosts the share. 对于网络共享,这意味着您必须在承载该共享的服务器上运行。
For tracking who did the deletion on a network share the only option I can think of is to use network packet inspection. 为了跟踪谁在网络共享上进行了删除,我想到的唯一选择是使用网络数据包检查。 This is quite resource expensive and involved, as it will require you to manually reassemble and interpret SMB messages. 这是非常昂贵的资源,并且涉及很多资源,因为这将需要您手动重新组装和解释SMB消息。 Not simple. 不简单。 If you really want to try this then WinPcap (via something like SharpPcap or PcapDotNet ) will give you access to the packets, and do a lot of reading on the SMB protocol . 如果您真的想尝试此操作,则WinPcap (通过SharpPcap或PcapDotNet类的SharpPcap )将使您能够访问数据包,并在SMB协议上进行了大量阅读。
Just be aware that those are some pretty deep waters to be jumping into. 只是要注意,这些都是很深的水域。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.