While playing around with Sysmon I noticed that one of my deleted files weren't archived due to insufficient disk space on one of my machines.
This is a sample FileDelete event (EID 23):
File Delete archived:
RuleName: FileDelete - Files in Windows\Tasks\ directory
UtcTime: 2021-06-22 12:06:34.434
ProcessGuid: {952ebdeb-d244-60d1-6c04-000000008400}
ProcessId: 5820
User: <REDACTED>
Image: C:\WINDOWS\system32\cmd.exe
TargetFilename: C:\Windows\Tasks\cmd.exe
Hashes: SHA1=F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D,MD5=8A2122E8162DBEF04694B9C3E0B6CDEE,SHA256=B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450,IMPHASH=272245E2988E1E430500B852C4FB5E18
IsExecutable: true
Archived: false - insufficient disk space
This is a really nice feature.
Does anyone know what the limit is and if you can change it?