Support queries shared: Using Process Monitor to see when files are being deleted

I’ve been working on a support query recently where a specific MDaemon user’s email was vanishing, and seemingly for no reason.

To help diagnose this issue I recommended they use the popular ‘Process Monitor’ tool to watch for any files being deleted in a specific folder and report which process is deleting them.

Process Monitor’s a great tool and can easily be used to monitor all kinds of file access in more detail but for now I’ll just be talking about it’s use in this scenario.

To get started with Process Monitor you must first download a copy from:-

http://technet.microsoft.com/en-gb/sysinternals/bb896645.aspx

After extracting and running the executable you must configure your filters to only view the required information. You can find the filters under  ‘Filter > Filter’.

You will need to add two ‘include’ filters…

First add….

This only shows processes that are deleting files

Then add…

This filter only includes files in a specified folder. (change this to the path you wish to monitor)

If you have added both filters  correctly your filter list should now look like this…

Click OK to apply the filters

In the main process monitor window you should now see any processes that delete any files in that specific folder…

Hope you found that one useful – let us know in the comments!

Subscribe to blog highlights mail

3 thoughts on “Support queries shared: Using Process Monitor to see when files are being deleted

  1. Hello,

    Please share the information, how to check if the file / folder is getting deleted from network.
    For e.g. I have a shared folder “TEST” with full access, now how do i find if anybody deleted any file from this folder by accessing it from other system.

    Thanks again in Advance….

    • Hi Kshitji,

      If the files/folders are on a shared folder on a windows server could you not just setup the Process Monitor on that server to monitor the local files that are then being shared? Any access to those files will then be logged with the relevant Active Directory User account.

Let us know what you think....

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s