StableBit DrivePool Q7965944

From Covecube - Wiki

When to Use

Use the information in this article if one or more files that should be on the pool have vanished, and you don't know why.

Files can disappear from the pool for a number of reasons:

  • Make sure that you have no missing disks, and that all the disks part of the pool are accessible and responsive.
  • Make sure that the NTFS file system is not damaged on each disk that is part of the pool. You can do this from Windows Explorer, Right click on the disk -> Properties -> Tools -> Check now....
  • Someone or some application has deleted those files. This is the point that we're going to address in this article.

The remainder of this article will show you how to set up auditing on the pool so that every single deletion is recorded, along with who is responsible for it.

In order to record every file deletion, and who or what was responsible, we can use the built-in auditing capabilities in Windows.

Steps

  1. Follow: Q7200705
  2. From the Start menu open Local Security Policy (type it).
  3. Navigate to Local Policies -> Audit Policy.
  4. Double click on Audit object access.
  5. Check Success and click OK.
  6. Now open up Windows Explorer to the view that lists all of your hard drives.
  7. Right click on any pool drive letter that you want to audit and click Properties,
  8. Open the Security tab and click Advanced.
  9. Navigate to the Auditing tab and click Edit....
  10. Click Add... and type in Everyone then click OK.
  11. In the dialog that pops up, check the Successful check box for Delete and Delete subfolders and files.
  12. Click OK through on all the dialogs that are open to apply your settings. (this may take a while if you have a lot of files on the pool)
  13. Click Continue if you see an Access is denied warning for the System Volume Information folder. This is normal. You can't audit that folder because you don't have access to it.

Now your Windows machine is recording every single delete that you or some application does on the pool. If you ever need to find out why a file is missing, just consult the event log.

How to consult the event log

  1. Follow: Q7200705
  2. From the Start menu open Event Viewer (type it).
  3. Navigate to Windows Logs -> Security.
  4. Click Filter Current Log... on the right.
  5. Under where it says <All Event IDs> type in 4663 (Event ID 4663 is a file deletion).

Now you will see a list of all recent file deletions, when the deletion took place, and which user (or application) initiated that deletion.

Increasing log file size

While you've got the even viewer open, it might be a good idea to increase the log file size in order to be able to log older file deletions.

  1. Follow: Q7200705
  2. From the Start menu open Event Viewer (type it).
  3. Navigate to Windows Logs -> Security.
  4. Click Properties on the right.
  5. Increase the Maximum log size to something larger. By default it's set to 20480 KB (which is 20 MB), you may want to increase that up to 102400 KB (which is 100 MB).
  6. Click OK.