Event ID 23

A file was deleted.

Source:

Microsoft-Windows-Sysmon

Category:

File Delete archived

File Delete archived:
    RuleName: %1!s!
    UtcTime: %2!s!
    ProcessGuid: %3!s!
    ProcessId: %4!s!
    User: %5!s!
    Image: %6!s!
    TargetFilename: %7!s!
    Hashes: %8!s!
    IsExecutable: %9!s!
    Archived: %10!s!

A file was deleted. Additionally to logging the event, the deleted file is also saved in the ArchiveDirectory (which is C:\Sysmon by default). Under normal operating conditions this directory might grow to an unreasonable size - see event ID 26: FileDeleteDetected for similar behavior but without saving the deleted files.

LEFT/RIGHT arrow keys for navigation

Back to List