Enable auditing for user/group: You'll need to enable and add user/security group for auditing on the folder which needs to be captured for file deletion.
Right click on the target folder (ex. C:\Program Files\Honeywell), select Properties and go to Security Tab.
Click on Advanced , and select Auditing Tab.
Add here the security group which would include the user who you think might be deleting the file. If you are not sure, include EVERYONE .
On the next screen select "Successful" & "Failed" on "Delete subfolders and files" & "Delete". Apply new settings and exit from properties.
These configurations will generate file/folder access audit logs for the configured folder in Securit Event Logs . Since we are interested in only the logs that show details of file/folder deletions, we'll need to look for Security Logs with event ID 560 .
Any file deletion operation will generate two events with event ID 560. After you've realized that your target file has been deleted, you'll need to filter the security log view to show only logs with event ID 560 (right click on Event Viewer->Security, select Filter...).
If you quickly want to find out if your configured machine generated any file deletion event log, run the following command on your own (networked) machine. This will work only on XP and above, therefore, you can use this to query for security logs from Windows 2000 machines. Run cscript //h:cscript //s //nologo at least once on your system before executing the following command.
eventquery.vbs /S
/FI : Filter
/L : Log name {Application | Security | System}
/V : Verbose output
Ref:http://sogeeky.blogspot.com/2006/07/how-to-audit-and-track-file-deletions.html
