With that filter in place I am not getting File deletes. The source account is not SYSTEM here. Its a user.
I am trying to create a filter that shows file deletes, writes and creates but not show form EventInfo .TMP files, NT Authority\SYSTEM doing something to the file and ~$ files.
It seems like I cannot get the right combo down. Not even sure its possible. I know a lot of this spends on what Windows shows. I do see many people with the same questions
