Check which process deleted the files on Window

Perform the below steps to get the process details causing the deletion operation from event logging.

Steps to Enable Event Logs for Identifying the Process Causing Product Deletion

  • Logged into the machine where the issue is occurring with an admin account.
  • Navigate to the Folder.
  • Open File Explorer.
  • Go to the parent folder of the installation (i.e., the folder that is getting deleted).
  • Right-click on the folder and select Properties.
  • Go to the Security tab.
  • Click Advanced.
  • Switch to the Auditing tab. Click Continue to proceed if coming up.
  • Click Add to set up a new auditing entry.
  • Click “Select a principal”, give “Everyone” in the "Object Name" field, and click OK.
  • Under Permissions, click Show Advanced Permissions.
  • Select the following permissions.
    • Delete
    • Delete Subfolders and Files
  • Click OK.
  • Check the box that says Replace all child object permission entries with inheritable permission entries from this object.
  • Click Apply, then OK to save the changes.
  • Now run Command Prompt as Administrator and run the Execute the Following Commands:
  • AuditPol /set /subcategory: "Handle Manipulation" /success: enable /failure: enable.
  • AuditPol /set /subcategory: "File System" /success: enable /failure: enable.

These steps will enable auditing for file operations deletion.

Wait for the Issue to Recur and once the issue happens perform the below steps(If required, restart the machine if the deletion happens after a reboot).

  • Open Event Viewer.
  • Navigate to Windows Logs -> Security.
  • Sort the logs in descending order by Date and Time.
  • Search for entries with the keyword “Delete”.
  • Look for a log that has “Object Name” as the installer path.
  • Look for Process Name.

Process Name will provide the complete path of the process that has caused the deletion operation of installer files.

 Installer files


Similar Articles