How to identify in windows event log when a folder is deleted?

Asked

Viewed 4,201 times

1

I have an application that uses a folder c:\temp in windows and need to identify somehow if this folder was deleted to recreate the directory. To recreate, I have in mind to use the windows task scheduler and use the event trigger (which uses the windows event log) and from then run a VBS that will recreate such folder if it does not exist.

Is there any way I can identify this deletion by logging windows events?

windows vbs

1 answer

2


Deleted files and folders are recorded in the Windows log on "Security" if the file system audit is enabled.

See how apply or modify audit directive settings in a local file or folder.

This other article may also be of interest to you: Audit in Windows.

You haven’t explained why you want to do this, but here are some suggestions:

  • An application that needs to write to a folder or read a folder should itself check for its existence before, and itself can create the folder - no need to rely on an external agent for this.

  • An application should not use the folder c: temp. Windows offers API to handle temporary or user data folder in the appropriate location, below C:\Users\user_name. How to use this API varies according to your programming language.

In VBS, for example:

Set fso = CreateObject("Scripting.FileSystemObject")

Const TemporaryFolder = 2
Set tfolder = fso.GetSpecialFolder(TemporaryFolder)

msgbox tfolder

This code will show C:\Users\nome_usuario\AppData\Local\Temp, which is the suitable location for an application to record and read temporary files.

  • My problem is because I have 2 programs, and 1 of them deletes the temp folder and another uses this folder. I haven’t developed these programs and one of them is no longer supported. The solution I thought would be to recreate this folder as soon as it is deleted, so I got to the above question.

  • @Leandroluk Understand. And the audit of the file system, this is what you were looking for?

  • I was reading here, I think it helps me, so I can create a scheduled task using the audit event... I will test here partner, thank you very much

  • @Leandroluk Another thing is that, depending on the response time you need to delete the folder, you may not even need to trigger its creation from the delete event, but simply schedule the VBS to check and create it yourself (type, every 1 minute).

  • yes but if I put for it to do this, it is an extra "service" for execution, and as the computer that has these applications is from the age of caves, I have to avoid unnecessary processing rs

Browser other questions tagged windows vbs

You are not signed in. Login or sign up in order to post.