windowsdelete-fileprocess-monitor

How to find which process deleted my file in Windows


In simplest terms, is there a simple way or program which can help identify who/which process has deleted the file.

Even in the latest version of Process Monitor by SysInternals, I couldn't find an event that directly tells that "This is a delete operation and performed by a certain PID or process name".

Am I missing something?


Solution

  • "Normal" deletes

    In Process Monitor, a real delete operation can be identified by the "delete on close" option in the "Details" column. You can use that as a filter:

    Detail, Contains, Delete On Close

    Process Monitor filter for deletions

    Why? Well, there is the DeleteFile() Windows API, that says:

    The DeleteFile function marks a file for deletion on close.

    Also, CreateFile() has a flag FILE_FLAG_DELETE_ON_CLOSE:

    The file is to be deleted immediately after all of its handles are closed, which includes the specified handle and any other open or duplicated handles.

    Likely, DeleteFile() just calls CreateFile() with that parameter. That's why you don't see an operation called "DeleteFile", but rather unexpectedly that the file is deleted in an operation called "CreateFile".

    Recycle bin deletes

    Why do I say "real delete operation"? Well, Windows Explorer does not delete files when you delete them, but moves them into the recycle bin. That's not a delete operation from OS point of view. It's a move operation.

    For a recycle operation, add two filters:

    1. Operation, Is, SetRenameInformationFile

    2. Detail, Contains, $RECYCLE.BIN

    Process Monitor, find Recycle Bin operation

    Low level deletes

    Some programs operate on a lower level and use API like SetDispositionInformationFile() or SetDispositionInformationEx(). See the low level ZwSetInformationFile() or NtSetInformationFile() on MSDN. That method takes a parameter:

    FILE_DISPOSITION_DELETE 0x00000001 Specifies the system should delete a file.

    In my case (using FastCopy), the following Process Monitor filter captured it:

    1. Operation, equals, SetDispositionInformationEx
    2. Detail, contains, FILE_DISPOSITION_DELETE