Difference between revisions of "StableBit DrivePool Q7965944"

From Covecube - Wiki
 
(10 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
==When to Use==
 
==When to Use==
If one or more files that should be on the pool have vanished, and you don't know why.
+
Use the information in this article if one or more files that should be on the pool have vanished, and you don't know why.
  
 
Files can disappear from the pool for a number of reasons:
 
Files can disappear from the pool for a number of reasons:
  
 
* Make sure that you have no missing disks, and that all the disks part of the pool are accessible and responsive.
 
* Make sure that you have no missing disks, and that all the disks part of the pool are accessible and responsive.
* Make sure that the NTFS file system is not damaged on each disk that is part of the pool. You can do this by '''Right clicking on the disk''' -> '''Properties''' -> '''Tools''' -> '''Check now....'''
+
* Make sure that the NTFS file system is not damaged on each disk that is part of the pool. You can do this from Windows Explorer, '''Right click on the disk''' -> '''Properties''' -> '''Tools''' -> '''Check now....'''
 
* Someone or some application has deleted those files. This is the point that we're going to address in this article.
 
* Someone or some application has deleted those files. This is the point that we're going to address in this article.
  
In order to record every file deletion, and or who what was responsible, we can use the built-in auditing capabilities in Windows.
+
The remainder of this article will show you how to set up auditing on the pool so that every single deletion is recorded, along with who is responsible for it.
 +
 
 +
In order to record every file deletion, and who or what was responsible, we can use the built-in auditing capabilities in Windows.
  
 
==Steps==
 
==Steps==
Line 14: Line 16:
 
# From the Start menu open '''Local Security Policy''' (type it).
 
# From the Start menu open '''Local Security Policy''' (type it).
 
# Navigate to '''Local Policies''' -> '''Audit Policy'''.
 
# Navigate to '''Local Policies''' -> '''Audit Policy'''.
# Double click on ''Audit object access''.
+
# Double click on '''Audit object access'''.
# Check '''Success''' and click ok.
+
# Check '''Success''' and click '''OK'''.
# Now open up '''Windows Explorer'''.
+
# Now open up '''Windows Explorer''' to the view that lists all of your hard drives.
 
# Right click on any pool drive letter that you want to audit and click '''Properties''',
 
# Right click on any pool drive letter that you want to audit and click '''Properties''',
 
# Open the '''Security''' tab and click '''Advanced'''.
 
# Open the '''Security''' tab and click '''Advanced'''.
Line 22: Line 24:
 
# Click '''Add...''' and type in '''Everyone''' then click '''OK'''.
 
# Click '''Add...''' and type in '''Everyone''' then click '''OK'''.
 
# In the dialog that pops up, check the '''Successful''' check box for '''Delete''' and '''Delete subfolders and files'''.
 
# In the dialog that pops up, check the '''Successful''' check box for '''Delete''' and '''Delete subfolders and files'''.
# Click '''OK''' through on all the dialogs that are open to apply your settings.
+
# Click '''OK''' through on all the dialogs that are open to apply your settings. (this may take a while if you have a lot of files on the pool)
# Click '''Continue''' if you see an '''Access is denied''' warning for the '''System Volume Information''' folder. This is normal.
+
# Click '''Continue''' if you see an '''Access is denied''' warning for the '''System Volume Information''' folder. This is normal. You can't audit that folder because you don't have access to it.
  
Now your Windows machine is recording every single delete that you or some application does on the pool. If you even need to find out why a file is missing, just consult the event log.
+
Now your Windows machine is recording every single delete that you or some application does on the pool. If you ever need to find out why a file is missing, just consult the event log.
  
 
===How to consult the event log===
 
===How to consult the event log===
 +
# Follow: [[StableBit_DrivePool_Q7200705|Q7200705]]
 +
# From the Start menu open '''Event Viewer''' (type it).
 +
# Navigate to '''Windows Logs''' -> '''Security'''.
 +
# Click '''Filter Current Log...''' on the right.
 +
# Under where it says '''<All Event IDs>''' type in '''4663''' (Event ID 4663 is a file deletion).
 +
 +
Now you will see a list of all recent file deletions, when the deletion took place, and which user (or application) initiated that deletion.
 +
 +
====Increasing log file size====
 +
While you've got the even viewer open, it might be a good idea to increase the log file size in order to be able to log older file deletions.
 +
 +
# Follow: [[StableBit_DrivePool_Q7200705|Q7200705]]
 +
# From the Start menu open '''Event Viewer''' (type it).
 +
# Navigate to '''Windows Logs''' -> '''Security'''.
 +
# Click '''Properties''' on the right.
 +
# Increase the '''Maximum log size''' to something larger. By default it's set to '''20480 KB''' (which is 20 MB), you may want to increase that up to '''102400 KB''' (which is 100 MB).
 +
# Click '''OK'''.

Latest revision as of 15:09, 3 April 2013

When to Use

Use the information in this article if one or more files that should be on the pool have vanished, and you don't know why.

Files can disappear from the pool for a number of reasons:

  • Make sure that you have no missing disks, and that all the disks part of the pool are accessible and responsive.
  • Make sure that the NTFS file system is not damaged on each disk that is part of the pool. You can do this from Windows Explorer, Right click on the disk -> Properties -> Tools -> Check now....
  • Someone or some application has deleted those files. This is the point that we're going to address in this article.

The remainder of this article will show you how to set up auditing on the pool so that every single deletion is recorded, along with who is responsible for it.

In order to record every file deletion, and who or what was responsible, we can use the built-in auditing capabilities in Windows.

Steps

  1. Follow: Q7200705
  2. From the Start menu open Local Security Policy (type it).
  3. Navigate to Local Policies -> Audit Policy.
  4. Double click on Audit object access.
  5. Check Success and click OK.
  6. Now open up Windows Explorer to the view that lists all of your hard drives.
  7. Right click on any pool drive letter that you want to audit and click Properties,
  8. Open the Security tab and click Advanced.
  9. Navigate to the Auditing tab and click Edit....
  10. Click Add... and type in Everyone then click OK.
  11. In the dialog that pops up, check the Successful check box for Delete and Delete subfolders and files.
  12. Click OK through on all the dialogs that are open to apply your settings. (this may take a while if you have a lot of files on the pool)
  13. Click Continue if you see an Access is denied warning for the System Volume Information folder. This is normal. You can't audit that folder because you don't have access to it.

Now your Windows machine is recording every single delete that you or some application does on the pool. If you ever need to find out why a file is missing, just consult the event log.

How to consult the event log

  1. Follow: Q7200705
  2. From the Start menu open Event Viewer (type it).
  3. Navigate to Windows Logs -> Security.
  4. Click Filter Current Log... on the right.
  5. Under where it says <All Event IDs> type in 4663 (Event ID 4663 is a file deletion).

Now you will see a list of all recent file deletions, when the deletion took place, and which user (or application) initiated that deletion.

Increasing log file size

While you've got the even viewer open, it might be a good idea to increase the log file size in order to be able to log older file deletions.

  1. Follow: Q7200705
  2. From the Start menu open Event Viewer (type it).
  3. Navigate to Windows Logs -> Security.
  4. Click Properties on the right.
  5. Increase the Maximum log size to something larger. By default it's set to 20480 KB (which is 20 MB), you may want to increase that up to 102400 KB (which is 100 MB).
  6. Click OK.