Is there a detailed log on Widows that shows when/how actions were initiated? 300GB of files deleted from my OneDrive. It wasn’t me.

[email protected]

Investigating Unexpected Data Loss on Windows: How to Track Deletion Activities

Experiencing the sudden disappearance of extensive data files can be alarming, especially when you’re certain that no authorized action was taken. Recently, a user encountered the loss of approximately 300GB of files stored on OneDrive—files that were deleted without their knowledge or consent. This scenario raises important questions about security, monitoring, and troubleshooting on Windows systems.

Understanding the Situation

In this case, the user reports that:

  • The files were spread across multiple folders and subfolders.
  • Deletions occurred in stages, not all at once.
  • The user was asleep, and no other individual had access to their machine.
  • The deletions were not restricted to a single folder or path.
  • No identifiable pattern or logical sequence emerged from the deleted files.
  • The user doubts it was an external attack but is concerned about potential system compromise.

This complex scenario underscores the importance of having proper logging and tracking mechanisms in place to identify the origins and methods of such unexpected activity.

Can Windows Track File Deletions?

By default, Windows does not maintain a detailed, user-friendly log of every file operation, including deletions. However, Windows does offer built-in tools and features that, when properly configured, can help you monitor file system activities:

1. Enable and Use Windows Event Log Auditing

Windows has a powerful feature called Audit Policy that, when enabled, can track specific actions such as file deletions.

  • How to enable auditing for file deletions:

  • Open the Local Security Policy editor (secpol.msc).

  • Navigate to Security Settings > Advanced Audit Policy Configuration > Object Access.
  • Enable Audit File System for success (and failure, if desired).

  • Set the auditing on the target folders by adjusting their security properties:

    • Right-click the folder, select Properties.
    • Go to the Security tab and click Advanced.
    • Switch to the Auditing tab.
    • Add your user or group, then select the types of actions to audit, such as Deletion.

  • Review logs:

  • After enabling auditing, you can review detailed logs in the Event Viewer:

    • Open Event Viewer (eventvwr.msc).
    • Navigate to Windows Logs > **Security

Share this content:

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *