"cypherus" <fbsdguy@gmail.com> wrote in message
news:53ecded4-9025-4699-b13c-6856336cd71c@a70g2000hsh.googlegroups.com...
>I am running Windows Server 2003 R2 and three times now a folder has
> been deleted from a user's network drive. No one has access to this
> except me and the user and from what the user says, she isn't doing
> anything wrong. She logs in and the folder is gone. I am able to
> recover from backup, but that's not the point. Is there any way to
> find out who or when a file is deleted either in the Event Viewer or
> otherwise?
You could run this script:
01. ComputerName = "Cypherus"
02. FolderName = """D:\Temp"""
03. Wait = 60 'Time to wait between polls
04.
05. FolderName = replace(FolderName, "\", "\\\\")
06. Set objWMIService = GetObject("winmgmts:\\" & ComputerName &
"\root\cimv2")
07. Set colMonitoredEvents = objWMIService.ExecNotificationQuery _
08. ("SELECT * FROM __InstanceDeletionEvent WITHIN " & wait _
09. & " Where Targetinstance ISA 'CIM_DirectoryContainsFile'" _
10. & " and TargetInstance.GroupComponent= " _
11. & "'Win32_Directory.Name=" & FolderName & "'")
12.
13. Do
14. Set objLatestEvent = colMonitoredEvents.NextEvent
15. Result = objLatestEvent.TargetInstance.PartComponent
16. WScript.Echo "File " & Replace(Mid(result, InStrRev(Result, "\") + 1),
"""", "") & " deleted."
17. Loop
Instructions:
- Copy & paste this code to c:\Windows\Monitor.vbs on your PC.
- Modify Lines 1-3 to suit your environment.
- Unbreak broken up lines.
- Remove the line numbers.
- Invoke the script like so: cscript //nologo c:\windows\monitor.vbs
It is current form the script generates one line of text in the console
screen where you run the script. I can think of three better
responses:
a) Send yourself an EMail note.
b) Write a date/time-tagged line into a cumulative log file.
c) Generate a Messenger pop-up panel on a nominated PC.
You could use any one of several of the above methods.
Post again if you need any assistance with this.