I've been using Windows ETW pretty extensively to gather information on processes and files in my C++ application. I've been converting the MofData of the events into the appropriate structure to pull out information from the events. It seemed to work fine until I tested file events on Windows XP.
I found that I was not checking for the appropriate type on Windows XP and am now capturing file created events by checking for EVENT_TRACE.Header.Class.Type == 0 for a FileIo_V1_Name event (reference). This seems to work fairly well although I know I have to do some trickery to resolve the drive letter.
Knowing this, my question is: Is there any way to gather FileDeleted events through ETW on Windows XP? I couldn't find a class that would relate this information. I do know that this class is used in Windows Vista+, but XP support is a must. I know this is a fairly specific topic, so any information is greatly appreciated.