Windows Server 2003
I have found article http://whatevernetworks.com/?p=108
And in description of this article is: to found deleted files in auditing directory I have to found event 560.
But I have about 60 000 events.
My file abcd.txt is missing and I have to find who delete it, but I cant click 60 000 times to find it.
Moreover most of that event looks like its objcect open not object deleted.
How to find this particular?
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 2/23/2014
Time: 11:48:00 PM
User: DOMAIN\user
Computer: PLWAW1FS00003
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: E:\Temp\download.domain.com\example.zip
Handle ID: 1788
Operation ID: {0,477992664}
Process ID: 1692
Image File Name: C:\WINDOWS\system32\xcopy.exe
Primary User Name: user
Primary Domain: DOMAIN
Primary Logon ID: (0x0,0x1C7D2FA0)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: DELETE
READ_CONTROL
WRITE_DAC
WRITE_OWNER
SYNCHRONIZE
ACCESS_SYS_SEC
ReadData (or ListDirectory)
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
ReadEA
WriteEA
ReadAttributes
WriteAttributes
Privileges: SeBackupPrivilege
SeRestorePrivilege
Restricted Sid Count: 0
Access Mask: 0x11F019F
Find fields are: Information/Warning/Error/Succes/Failure
Event source: DS/IIS/LSA etc...
Event ID:
User:
Computer:
Description:
and no filename, or action.
Maybe I can use powershell to search through the logs?