Hi there,I've been experiencing what seems to be a deletion of my outlook.pst file. I have enabled auditing on the parent directory and have the event logged. However, from what I can tell the log just tells me that I deleted it as I am the only user on that machine. I know I certainly haven't been deleting my own PST so something is doing it.Is there any way to find out what application, software, executable etc actually deletes a file through auditing?Thanks in advance,Raw

Generally, Auditing will tell you the user account that deleted the file. I am not sure you can tell which software or apps did it.Isaac Oben MCITP:EA, MCSE

Thanks. That's what I figured as well. Perhaps someone knows of a utility or something that may be used to bridge the gap. Anything.. this is driving me nuts.Best,Raw

Hi , An wmi event will only gets registered if the application has the ability to register the event in the eventviwer, so that is the reason not many applicaitons does the event logging to answer your question , every process is independently loaded and depends on many shared / non shared dll's , for eg: for any user mode application to communicate with kernel , it has to call ntdll function which acts as subsystem dll.So through live monitoring / debugging you can identify the dll which killed your process / applicaiton process but IMHO i am not aware of MS app which can give you this detail.