Software Distribution for IT Support Companies & MSP's

Support queries shared: Using Process Monitor to see when files are being deleted

I’ve been working on a support query recently where a specific MDaemon user’s email was vanishing, and seemingly for no reason.

To help diagnose this issue I recommended they use the popular ‘Process Monitor’ tool to watch for any files being deleted in a specific folder and report which process is deleting them.

Process Monitor’s a great tool and can easily be used to monitor all kinds of file access in more detail but for now I’ll just be talking about it’s use in this scenario.

To get started with Process Monitor you must first download a copy from:-

After extracting and running the executable you must configure your filters to only view the required information. You can find the filters under  ‘Filter > Filter’.

You will need to add two ‘include’ filters…

First add….

This only shows processes that are deleting files

Then add…

This filter only includes files in a specified folder. (change this to the path you wish to monitor)

If you have added both filters  correctly your filter list should now look like this…

Click OK to apply the filters

In the main process monitor window you should now see any processes that delete any files in that specific folder…

Hope you found that one useful – let us know in the comments!

Subscribe to blog highlights mail


  1. Mandeep

    used process monitor for some time now, wasn’t aware you could do this.

    thanks for Sharing

  2. Kshitij


    Please share the information, how to check if the file / folder is getting deleted from network.
    For e.g. I have a shared folder “TEST” with full access, now how do i find if anybody deleted any file from this folder by accessing it from other system.

    Thanks again in Advance….

    • neilzensoftware

      Hi Kshitji,

      If the files/folders are on a shared folder on a windows server could you not just setup the Process Monitor on that server to monitor the local files that are then being shared? Any access to those files will then be logged with the relevant Active Directory User account.

  3. dfdsf

    Thanks, you helped tremendously. I was having a problem with JS files acting suspiciously on one Win7 machine. So I put a test.js file to a test folder and added the monitoring of the whole folder (like you described) to see what is happening to the file. Looks like cmdagent.exe (Comodo Firewall) was accessing any new *.js files without user knowledge.

Leave a Reply