Procmon should work.
https://learn.microsoft.com/en-us/sysinternals/downloads/procmon
--please don't forget to upvote and Accept as answer if the reply is helpful--
can I find out which process is deleting a file? file disappears.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 2%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EH%3C/text%3E%3C/svg%3E)
holollollol
86
Reputation points
Hi
I have two windows 2016 DC server as MSCS cluster.
C:\Windows\System32\drivers\etc folder and a few .sys files were deleted sometime.
Both servers had symptoms, so I reinstalled it a few times, but the symptoms reappear after a certain period of time.
There are no related logs in the antivirus.
I reinstalled it, but I'm worried.
how can I find out which process is deleting a file?
help me~~
Windows for business | Windows Server | User experience | Other
2 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2021-09-27T15:23:57.277+00:00 -
Anonymous
2021-09-30T12:09:42.03+00:00 Just checking if there's any progress or updates?
--please don't forget to
upvoteandAccept as answerif the reply is helpful--
Sign in to comment -
-
Limitless Technology 40,081 Reputation points2021-09-30T08:59:33.1+00:00 Hello,
Additionally you can view Event viewer and check Audit logs.
Also you can check Windows update history if it was deleted by Windows update and Windows Task scheduler if there is any Job is affecting to these files and location.
If the reply was helpful, please don’t forget to upvote or accept as answer.