In simplest terms, is there a simple way or program which can help identify who/which process has deleted the file.
Even in the latest version of Process Monitor by SysInternals, I couldn't find an event that directly tells that "This is a delete operation and performed by a certain PID or process name".
Am I missing something?
"Normal" deletes
In Process Monitor, a real delete operation can be identified by the "delete on close" option in the "Details" column. You can use that as a filter:
Detail, Contains, Delete On Close
Why? Well, there is the DeleteFile() Windows API, that says:
Also, CreateFile() has a flag
FILE_FLAG_DELETE_ON_CLOSE
:Likely, DeleteFile() just calls CreateFile() with that parameter. That's why you don't see an operation called "DeleteFile", but rather unexpectedly that the file is deleted in an operation called "CreateFile".
Recycle bin deletes
Why do I say "real delete operation"? Well, Windows Explorer does not delete files when you delete them, but moves them into the recycle bin. That's not a delete operation from OS point of view. It's a move operation.
For a recycle operation, add two filters:
Operation, Is, SetRenameInformationFile
Detail, Contains, $RECYCLE.BIN
Low level deletes
Some programs operate on a lower level and use API like SetDispositionInformationFile() or SetDispositionInformationEx(). See the low level ZwSetInformationFile() or NtSetInformationFile() on MSDN. That method takes a parameter:
In my case (using FastCopy), the following Process Monitor filter captured it: