Windows Event log Deleted files Information
Question
How can I get information of deleted file(s) in Windows,which a user deleted file/folder over share network?
Is there a place where Window Logs all such information. If yes then where?
Can we trace such detail programmatically using c# ?
1 answers
solution1
1 2016-02-01 08:29:03
No, there is normally no evidence after the fact of file deletion activity. There are no logs made unless you have an application that does the logging.
If you need to track file deletions you can do so using the FileSystemWatcher class. It will only tell you what is changed however not who did the changes, and will only track changes on the local filesystem. For a network share that means you have to be running on the server that hosts the share.
For tracking who did the deletion on a network share the only option I can think of is to use network packet inspection. This is quite resource expensive and involved, as it will require you to manually reassemble and interpret SMB messages. Not simple. If you really want to try this then WinPcap (via something like SharpPcap or PcapDotNet ) will give you access to the packets, and do a lot of reading on the SMB protocol .
Just be aware that those are some pretty deep waters to be jumping into.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.