File Deletion Without Event Viewer Entry: Seeking Insights and Solutions

[techquest]

got file deleted,no entry in eventviewer,did anyone faced similar kind of issue?
system not connected to internet since longtime,if someone knows password there will be entry in the eventviewer

 

[ChatGPT]

You're absolutely right that any logon to your Windows account—especially with a correct password—should typically generate an Event Viewer entry (under Security > Audit Success/Failure) if auditing is enabled. If your system is not connected to the internet and you haven't seen unauthorized logins, a mysterious file deletion with no Event Viewer trace can still have non-malicious explanations, though rare.

Common causes for files moving to Recycle Bin without an Event Viewer entry:​

1. Accidental Deletion by User or Software:
   • Some applications delete files silently or manage temporary files, and these deletions aren't always logged unless you have File System auditing enabled via Group Policy.
   • Built-in Windows file audits are not enabled by default—it takes custom configuration.
2. Scheduled Tasks or System Maintenance:
   • Built-in maintenance or cleanup operations can sometimes delete or move files.
3. Third-Party Tools or Scripts:
   • Utility software or batch scripts might delete files (e.g., disk cleanup tools, optimizers).
4. Explorer Glitches or User Error:
   • Drag-and-drop mishaps or even double-clicking [Del] can move files to the Recycle Bin without obvious notice.

Security/Auditing Facts​

• Default Windows logs do NOT record every file delete action.
  • They record authentication/logon, but file operations (like delete) require explicit “Object Access” auditing to be set up in Group Policy. If not configured, standard file deletions don’t show in logs.
• If someone logs in with your account, it is usually logged under Windows Security events.
  • If you see no extra logins or failed attempts, it’s unlikely (though not impossible) someone bypassed things entirely and deleted a file.
• Physical access:
  • Anyone with physical access can circumvent many protections; using boot media, they can alter or delete files without any trace in the Event Viewer, especially if they use tools that do not boot the normal OS.

Community Experience​

• You're not alone: Other users have reported files disappearing or being deleted without explanatory logs, often due to odd bugs or maintenance tools rather than malicious access.
• In enterprise or domain setups, group policies or software restrictions can affect Recycle Bin behavior, but for standalone systems not on a domain and offline, this is much less likely.

---

Practical Suggestions​

1. Review what software you have installed: Look for cleanup utilities or tools you've used recently.
2. Audit Settings: If you want future deletes audited:
   • Open gpedit.msc > Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access > Audit File System.
   • Enable “Success” and “Failure” for detailed file delete logs (note: can flood logs if overused).
3. Antivirus scan: Glitches or unwanted programs might misbehave.
4. Check for scheduled tasks or scripts: Review Task Scheduler for anything that might have acted on your files.

---

Bottom line:
For most home users, accidental deletion or (if unattended/guest access is possible) human error is the usual cause. True undetected hacking without leaving a trace on a disconnected, offline machine is nearly impossible without physical access or inside help.
If you want to harden your system, you might consider enabling file-level auditing and reviewing your local user accounts for any changes.
If you still suspect foul play (especially if files vanish repeatedly), a hardware keylogger or direct disk access is possible—but quite rare. Let us know if you notice further oddities!

 

[mattewjhones]

That’s a tricky situation. Usually, file deletions should leave some kind of trace in Event Viewer unless certain scripts or third-party tools are bypassing the logs. You might want to review your audit policies or enable detailed file auditing to catch what’s happening.

 

[ChatGPT]

You’re right—and here’s how to make deletions show up reliably​

By default, Windows won’t log file deletions unless Object Access auditing is enabled and the target folders/files have an audit rule (SACL). Do this:
1) Verify prerequisites

• Drive format: ensure the volume is NTFS (auditing doesn’t work on exFAT/FAT32).
• If the files live on a network share, the logs will be on the file server, not the client.

2) Enable the right audit subcategories (local or via GPO)
Run in an elevated PowerShell/Command Prompt:

auditpol /set /subcategory:"File System" /success:enable /failure:enable
auditpol /set /subcategory:"Handle Manipulation" /success:enable /failure:enable
auditpol /set /subcategory:"Detailed File Share" /success:enable /failure:enable   (if using SMB shares)
auditpol /get /category:*   (verify)

3) Add a SACL on the folder you care about

• Right‑click folder > Properties > Security > Advanced > Auditing > Add.
• Principal: Everyone (or the group of interest).
• Type: Success and Failure.
• Applies to: This folder, subfolders and files.
• Permissions: check Delete and Delete subfolders and files.

4) Correlate the events

• Security log: 4663 (access attempt with “Accesses: DELETE”), 4660 (object deleted), 4656 (handle requested).
• Also enable process lineage to identify the deleter:
  • Turn on “Audit Process Creation” (success) and enable “Include command line in process creation events.”
  • Then correlate 4688 (process created) with the Subject/Process ID in 4663/4660.

5) Optional but highly effective: Sysmon

• Install Sysmon with a reputable config (e.g., SwiftOnSecurity). You’ll get:
  • Event ID 23: FileDelete
  • Event ID 26: FileDeleteDetected (for captured/deferred deletes)
    This makes spotting and attributing deletions much easier.

6) Quick triage commands

• Recent delete attempts (last 24h):
  

  Get-WinEvent -LogName Security -FilterHashtable @{Id=4663; StartTime=(Get-Date).AddDays(-1)} |
  Where-Object {$_.Message -match "Accesses:\s+.*DELETE"} |
  Select-Object TimeCreated,
  @{n='Object';e={($_.Message -split "Object Name:\s+")[1] -split "`r?`n" | Select-Object -First 1}},
  @{n='Process';e={($_.Message -split "Process Name:\s+")[1] -split "`r?`n" | Select-Object -First 1}},
  @{n='Account';e={($_.Message -split "Account Name:\s+")[1] -split "`r?`n" | Select-Object -First 1}}

• Signs of tampering/bypass:
  • 1102 (audit log cleared), 4719 (audit policy changed), unusually small Security log, or deletion performed offline/with boot media (no logs on the OS).

7) Best practices

• Increase Security log size and set retention to “Do not overwrite” or a long retention window.
• Limit who can clear logs; forward Security logs to a SIEM/Event Collector so local tampering is less effective.

Note: The fitness tool mention is off-topic for this thread, so keeping focus on the Windows side.
If you can share a bit more:

• What version/edition of Windows?
• Local disk or SMB share/OneDrive/Dropbox sync folder?
• Do deletes happen interactively or via a scheduled task/service?
• Any relevant event IDs you’re already seeing?