Figure out what's deleting a folder
-
I like to keep somewhat important but temporary stuff in c:\temp. A while ago something started deleting c:\temp at work. My guess is Kaspersky, but I don't know why.
How can I catch whatever villainous software is doing this? It's a windows 10 pc.
-
Does it happen very often? As in, if you drop a file there, will it be gone within the hour or is it just that it goes missing after a day or two?
Can you pin it down to a restart or might it happen while the PC is simply running?
The reason I'm asking is that if it happens often while the PC is running, having a tool like https://docs.microsoft.com/en-us/sysinternals/downloads/procmon could catch the program in the act. If the files get removed at boot or at a time where you're not logged in, there obviously isn't going to be any chance of running that tool.
-
@dangeRuss
Win 10 has some auto cleanup feature to reclaim disk space. Not sure if it cleans out temp folders but it might.
-
@Luhmann In that case you would expect that something like the TEMP or TMP environment variables is pointing at it, which would be weird because on my machine it points at a user-specific temp dir like
C:\Users\JBert\AppData\Local\Temp
(defined on user level) or a directory inside ofC:\Windows
likeC:\Windows\Temp
(defined on system level).
-
This post is deleted!
-
@JBert said in Figure out what's deleting a folder:
Does it happen very often? As in, if you drop a file there, will it be gone within the hour or is it just that it goes missing after a day or two?
Can you pin it down to a restart or might it happen while the PC is simply running?
The reason I'm asking is that if it happens often while the PC is running, having a tool like https://docs.microsoft.com/en-us/sysinternals/downloads/procmon could catch the program in the act. If the files get removed at boot or at a time where you're not logged in, there obviously isn't going to be any chance of running that tool.
I feel like it happens in a few days... It seems very intermittent.
I tried turning on File and Folder Auditing, but I don't think I got anywhere.
-
@dangeRuss Have you considered not putting important things in TEMP?
-
@Gribnit said in Figure out what's deleting a folder:
@dangeRuss Have you considered not putting important things in TEMP?
Can I suggest the Recycle Bin?
-
@Gribnit said in Figure out what's deleting a folder:
@dangeRuss Have you considered not putting important things in TEMP?
I have. I keep them in tempa now. Having said that, I should be able to keep my stuff wherever I choose, that is not a system folder. This temp folder I'm using, other than having a name of temp, is in no way designated by the system as a temp folder and should not be touched. It should be no different than calling it "Dangeruss's Important Documents - DO NOT DELETE"
I still would like to figure out what process is going around deleting my folders willy nilly.
-
@dangeRuss Maybe some program has some special debugging built in that can only write into that directory? <whistles idly in the air>Yes, yes we do</finishes song>
edit: We write to c:\tmp, but don't delete anything AFAIK.
-
@dcon said in Figure out what's deleting a folder:
We write to c:\tmp, but don't delete anything AFAIK.
Including the junk that you drop there?
-
- Create two folders in there
- Remove all access from every user for one folder
- Allow access to every user for the other folder
- Once you notice the second folder missing, go check Event Log security log to see who was denied access
-
How do I figure out what's deleting a post?
-
@HardwareGeek said in Figure out what's deleting a folder:
@dcon said in Figure out what's deleting a folder:
We write to c:\tmp, but don't delete anything AFAIK.
Including the junk that you drop there?
I don't think so. But I seem to remember it's a fixed file name, so it gets overwritten each time.
-
@Lorne-Kates said in Figure out what's deleting a folder:
- Create two folders in there
- Remove all access from every user for one folder
- Allow access to every user for the other folder
- Once you notice the second folder missing, go check Event Log security log to see who was denied access
If for some reason this doesn't work, then ProcessMonitor can filter by path and operation. I don't know if the Virtual Memory use might become a problem though, I've never had it open for more than a couple of hours before.
-
@Cursorkeys said in Figure out what's deleting a folder:
I don't know if the Virtual Memory use might become a problem though, I've never had it open for more than a couple of hours before.
Simply enable the Drop Filtered Events option and it'll be fine.
-
@Tsaukpaetra said in Figure out what's deleting a folder:
@Cursorkeys said in Figure out what's deleting a folder:
I don't know if the Virtual Memory use might become a problem though, I've never had it open for more than a couple of hours before.
Simply enable the Drop Filtered Events option and it'll be fine.
TIL, thanks!