This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 2%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EH%3C/text%3E%3C/svg%3E)
Hi
I have two windows 2016 DC server as MSCS cluster.
C:\Windows\System32\drivers\etc folder and a few .sys files were deleted sometime.
Both servers had symptoms, so I reinstalled it a few times, but the symptoms reappear after a certain period of time.
There are no related logs in the antivirus.
I reinstalled it, but I'm worried.
how can I find out which process is deleting a file?
help me~~
Procmon should work.
https://learn.microsoft.com/en-us/sysinternals/downloads/procmon
--please don't forget to upvote and Accept as answer if the reply is helpful--
Just checking if there's any progress or updates?
--please don't forget to upvote and Accept as answer if the reply is helpful--
Hello,
Additionally you can view Event viewer and check Audit logs.
Also you can check Windows update history if it was deleted by Windows update and Windows Task scheduler if there is any Job is affecting to these files and location.
If the reply was helpful, please don’t forget to upvote or accept as answer.