Re: Logging Files Deleted At Shutdown
From: Marc (news_reply_at_SCRUBTHISblueyonder.co.uk)
Date: 06/29/04
- Next message: Hilary Karp: "Re: Old Hard drive wouldn't boot, need to get files, help!"
- Previous message: Alex Nichol: "Re: how update xp home to professional?"
- In reply to: David Candy: "Re: Logging Files Deleted At Shutdown"
- Next in thread: R. McCarty: "Re: Logging Files Deleted At Shutdown"
- Reply: R. McCarty: "Re: Logging Files Deleted At Shutdown"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 29 Jun 2004 10:47:29 GMT
I am trying to find out why my Restore points are being deleted. I used to
have many available at any one time but now there is either none or
occasionally one available. I have loads of disk space allocated. Something
has changed somewhere which is causing the Restore points to stop being
created on a regular basis and when one is (occasionally) created, it's not
there next time I boot.
I had a look at the LSP Help files but couldn't make too much sense of it
for what I am trying find out. I've enabled auditing for system events and
object access to see if that sheds any light, although maybe auditing can't
help with what I'm trying to find out anyway.
Marc
David Candy wrote:
> It's all in LSP help.
>
> Audit object access
> Computer Configuration\Windows Settings\Security Settings\Local
> Policies\Audit Policy
>
> Description
> Determines whether to audit the event of a user accessing an
> object-for example, a file, folder, registry key, printer, and so
> forth-that has its own system access control list (SACL) specified.
>
> If you define this policy setting, you can specify whether to audit
> successes, audit failures, or not audit the event type at all.
> Success audits generate an audit entry when a user successfully
> accesses an object that has a SACL specified. Failure audits generate
> an audit entry when a user unsuccessfully attempts to access an
> object that has a SACL specified. To set this value to no auditing,
> in the Properties dialog box for this policy setting, select the
> Define these policy settings check box and clear the Success and
> Failure check boxes.
>
> Note that you can set a SACL on a file system object using the
> Security tab in that object's Properties dialog box.
>
> Default: No auditing.
>
>
>
> Then set auditing for your drives in the Drives Properties - Security
> - Advanced - Auditing
>
> You have to turn it on then set what is to be audited.
>
>
>> Fair point, I don't know it's shutdown rather than startup.
>>
>> How do I turn on auditing for the 'files concerned'. The options I
>> could see
>> in the Local Policies/Audit Policy related to events/processes
>> rather than
>> files.
>>
>> Marc
>>
>> David Candy wrote:
>>> Turn on auditing then set the files concerned to be audited. How do
>>> you know it's shutdown and not startup?
>>>
>>>> Is there any way to log files being deleted at shutdown and what
>>>> app/windows
>>>> function is causing the deletion? I seem to have files being
>>>> deleted
>>>> that
>>>> shouldn't be and would like to find out what's happening.
>>>>
>>>> tia
>>>> Marc
- Next message: Hilary Karp: "Re: Old Hard drive wouldn't boot, need to get files, help!"
- Previous message: Alex Nichol: "Re: how update xp home to professional?"
- In reply to: David Candy: "Re: Logging Files Deleted At Shutdown"
- Next in thread: R. McCarty: "Re: Logging Files Deleted At Shutdown"
- Reply: R. McCarty: "Re: Logging Files Deleted At Shutdown"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
