P3 · Windows Server

Identify Who or What Deleted Files on Windows Server/Workstation — SACL Auditing with Event ID 4663/4660

Windows does not log file deletions by default. To identify the user, process, or service responsible for deleting files from a server or workstation, the 'Audit File System' subcategory must be enabled and SACLs configured on the target folder. Future deletions are then traceable via Security Event ID 4663 (DELETE access attempted) correlated with 4660 (object deleted) by Handle ID, exposing the Subject account, Process Name, and Object Name. Historical deletions prior to auditing being enabled cannot be recovered from logs and require VSS, backup, or third-party file activity monitor data.

Indicators

Files or folders missing from a known location without any recorded change-control action
Users reporting missing documents from a shared drive or mapped network location
Backup jobs reporting fewer files / smaller dataset than the previous run
Empty directories where data previously existed; folder structure intact but contents gone
Antivirus / EDR alerts coinciding with file disappearance (possible ransomware or wiper activity)
DFSR / OneDrive / robocopy /MIR mirroring deletions from an upstream source

Likely causes

Legitimate user deletion via Explorer, command line, or mapped drive
Script, scheduled task, or application performing automated cleanup (e.g. log rotation, temp purge)
Backup or sync software (OneDrive, DFSR, robocopy /MIR, rsync) mirroring a deletion from another source
Malware / ransomware deletion or encryption activity (delete-then-write pattern)
Group Policy or SCCM/MECM deployment removing files via package action
Administrator action via remote session, PsExec, or PowerShell Remoting

Diagnostic steps

Check current file system audit policy: auditpol /get /subcategory:"File System"

Determine whether any historical deletion events would have been captured
Query existing Security log for prior deletion events on the affected path: Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4663,4660} -MaxEvents 1000 | Where-Object { $_.Message -match 'PATH\\TO\\FOLDER' } | Format-List TimeCreated, Id, Message

Identify any already-logged deletions and the associated user/process before enabling new auditing
Review the SACL on the parent folder: (Get-Acl -Path 'D:\Shares\Data' -Audit).Audit

Confirm that delete operations are configured to be logged for the relevant principals
Enumerate active SMB sessions and open files: Get-SmbOpenFile; Get-SmbSession

Identify remote users currently connected to the share who may be deleting in real time
Inspect scheduled tasks and recent process creation (Event 4688): Get-ScheduledTask | Where-Object {$_.State -eq 'Ready'}; Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4688} -MaxEvents 200

Rule out automation, cleanup scripts, or suspicious processes as the cause
Check Volume Shadow Copies for recoverable previous versions: vssadmin list shadows /for=D:

Recover deleted data and correlate VSS snapshot timestamps with deletion window
If real-time observation needed, launch Sysinternals Process Monitor with filter Operation=SetDispositionInformationFile or Operation=CreateFile and Detail contains 'Delete'

Capture live deletions with full process tree and command line attribution

Resolution path

Enable Advanced Audit Policy via GPO: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access > 'Audit File System' = Success, Failure. Ensure 'Audit: Force audit policy subcategory settings to override audit policy category settings' is Enabled under Local Policies > Security Options.
On the target host, confirm/enable locally from an elevated prompt: auditpol /set /subcategory:"File System" /success:enable /failure:enable
Apply a SACL on the affected folder. GUI: Right-click folder > Properties > Security > Advanced > Auditing tab > Add > Principal: Everyone (or specific group), Type: All (or Success), Applies to: This folder, subfolders and files, Permissions: Delete + Delete subfolders and files.
PowerShell SACL equivalent: $acl = Get-Acl 'D:\Shares\Data'; $rule = New-Object System.Security.AccessControl.FileSystemAuditRule('Everyone','Delete,DeleteSubdirectoriesAndFiles','ContainerInherit,ObjectInherit','None','Success'); $acl.AddAuditRule($rule); Set-Acl 'D:\Shares\Data' $acl
Resize the Security log to retain enough history: wevtutil sl Security /ms:1073741824 (1 GB)
Monitor Security log for Event ID 4663 with Accesses: DELETE (mask 0x10000), then locate the matching Event ID 4660 by Handle ID to confirm the object was actually removed. Extract Subject User Name, Subject Logon ID, Process Name, and Object Name from event XML.
For sustained monitoring, deploy Sysmon (FileDelete Event 23/26) with a tuned config (e.g. SwiftOnSecurity baseline) and/or forward Security events to a SIEM (Sentinel, Splunk, Elastic) for retention beyond local log roll-over.
If sustained auditing is impractical due to log volume, deploy a dedicated file activity monitor (Netwrix Auditor, ManageEngine FileAudit Plus, Varonis) which aggregates and indexes events more efficiently.

Prevention

Enable 'Audit File System' (Success and Failure) via GPO on all file servers by default; apply SACLs on critical data shares as part of the server build/baseline.
Forward Security events to a centralized SIEM or syslog collector so logs survive local tampering, account lockout, or log roll-over.
Deploy Sysmon with a tuned config (SwiftOnSecurity baseline) to capture FileDelete (Event 23/26) with full process and command-line context — lighter overhead than full SACL auditing.
Pre-size the Security log to at least 1 GB on file servers (wevtutil sl Security /ms:1073741824) to prevent rapid rollover during incidents.
Apply least-privilege NTFS permissions — restrict Delete and Delete subfolders and files rights to specific groups rather than Everyone/Authenticated Users.
Maintain VSS shadow copies (vssadmin add shadowstorage) and tested backups so deleted files can be both recovered and timestamp-correlated against the audit trail.
Monitor Event 4670 (object permission/SACL changes) to detect tampering with auditing configuration itself.

Tools

auditpol.exe (configure advanced audit policy subcategories)
Event Viewer / wevtutil (review and resize Security log)
PowerShell Get-WinEvent and Get-Acl (query events and SACLs)
Sysinternals Process Monitor (real-time per-process file delete observation)
Sysmon with Event ID 11 (FileCreate) and 23/26 (FileDelete / FileDeleteDetected) for process-level audit context
vssadmin / Previous Versions tab (recover deleted files from shadow copies)
Third-party: Netwrix Auditor, ManageEngine FileAudit Plus, Varonis DatAdvantage, Lepide File Server Auditor

References

windowsfile-serverauditingsecurity-logevent-4663event-4660saclforensicsdata-losssysmoninsider-threatincident-response