The file system audit policy in Windows allows to monitor all access events to specific files and folders on a disk. An administrator can enable the audit policy to identify file and folder creation, read, modification, and deletion events on the NTFS file system. File system auditing is most commonly used to control access and changes to shared network folders on Windows file servers that multiple users can access simultaneously.<\/p>\n
File system object access auditing is not enabled by default in Windows. Access auditing can be enabled via Group Policy. To configure the audit policy on a standalone server, use the local Group Policy Editor console<\/a> ( Or enable the local file system audit policy from the command prompt.<\/p>\n List available audit categories:<\/p>\n Enable auditing of successful file system object access events:<\/p>\n Check current audit settings:<\/p>\n Even if a policy is enabled to audit access to files and folders, no actual events are sent to the Event Viewer. Audit settings for the files and folders to be monitored must be manually enabled and configured by the administrator.<\/p>\n For example, your task is to track read\/change\/create events for all files in C:Docs<\/em> folder.<\/p>\n To enable auditing for a specific directory, PowerShell can be used:<\/p>\n To list the folder audit settings, you can use the following command:<\/p>\n If you want to recursively scan all directories and identify the subfolders with file system auditing enabled, you can use this script:<\/p>\n $folders=Get-ChildItem “c:docs” -Recurse | Where-Object {$_.PSIsContainer}<\/p>\n foreach ($folder in $folders)<\/p>\n {<\/p>\n $auditacl=(Get-Acl $folder.FullName -Audit).Audit<\/p>\n if ($auditacl -ne “”) { write-host $folder.FullName }<\/p>\n }<\/p>\n The audit policy will write a log to the Event Viewer if any actions are performed on files in the folder with auditing enabled. To view events:<\/p>\n File name: type of operation (write to file in this case): Accesses: However, the Event Viewer console\u2019s filtering and search capabilities are quite poor, and using it to search for all actions on a particular file is inconvenient.<\/p>\n It is better to use PowerShell to find and list all access events for a particular file system object. The following PowerShell script finds and lists all access events for a specified file in Event Viewer (the Get-WinEvent cmdlet<\/a> is used to query the Event Viewer):<\/p>\n $fileName = “C:\\docsew_test_file.txt”<\/p>\n $results = Get-WinEvent -FilterHashtable @{logname=’Security’; id=4663,4659} |`<\/p>\n Where-Object { $_.message -match $fileName -and $_.message -notmatch “Account Name:s*machine$*”}`<\/p>\n foreach ($result in $results) {<\/p>\n $Account = $result.properties[1].Value<\/p>\n $objectName = $result.properties[6].Value<\/p>\n $accessMask = $result.properties[8].Value<\/p>\n if ( $accessMask -like “*00000000-*”) { $accessMask=$result.properties[9].Value}<\/p>\n $accessMask2 = $result.properties[9].Value<\/p>\n $fileOperation = “”<\/p>\n switch -Wildcard ($accessMask) {<\/p>\n “*%%1538*” { $fileOperation = “READ_CONTROL” }<\/p>\n “*%%4416*” { $fileOperation = “ReadData (or ListDirectory)” }<\/p>\n “*%%4417*” { $fileOperation = “WriteData (or AddFile)” }<\/p>\n “*%%4418*” { $fileOperation = “AppendData (or AddSubdirectory or CreatePipeInstance)” }<\/p>\n “*%%4419*” { $fileOperation = “ReadEA” }<\/p>\n “*%%4420*” { $fileOperation = “WriteEA” }<\/p>\n “*%%4423*” { $fileOperation = “ReadAttributes” }<\/p>\n “*%%4424*” { $fileOperation = “WriteAttributes” }<\/p>\n “*%%4426*” { $fileOperation = “Delete” }<\/p>\n “*%%4428*” { $fileOperation = “ReadControl” }<\/p>\n “*%%4429*” { $fileOperation = “WriteDAC” }<\/p>\n “*%%4430*” { $fileOperation = “WriteOwner” }<\/p>\n “*%%4432*” { $fileOperation = “Synchronize” }<\/p>\n “*%%4433*” { $fileOperation = “AccessSystemSecurity” }<\/p>\n “*%%4434*” { $fileOperation = “MaximumAllowed” }<\/p>\n “*%%4436*” { $fileOperation = “GenericAll” }<\/p>\n “*%%4437*” { $fileOperation = “GenericExecute” }<\/p>\n “*%%4438*” { $fileOperation = “GenericWrite” }<\/p>\n “*%%4439*” { $fileOperation = “GenericRead” }<\/p>\n “*%%1537*” { $fileOperation = “DELETE” }<\/p>\n default { $fileOperation = “Unknown” }<\/p>\n }<\/p>\n Write-Host $result.Id $result.TimeCreated $Account $objectName $fileOperation<\/p>\n }<\/p>\n Write-Host $result.Id $result.TimeCreated $Account $objectName $fileOperation<\/p>\n }<\/p>\n You can send the resulting list of access audit events to your log collector, database, text log file<\/a>, or send an email notification using Send-MailMessage<\/a> when a monitored file is accessed\/modified.<\/p>\n The file system audit policy in Windows allows to monitor all access events to specific files and folders on a disk. An administrator can enable the audit policy to identify file and folder creation, read, modification, and deletion events on the NTFS file system. File system auditing is most commonly used to control access and […]<\/p>\n","protected":false},"author":1,"featured_media":9831,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[143,117,100],"tags":[],"class_list":["post-9830","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-group-policies","category-powershell","category-windows-server-2019"],"_links":{"self":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts\/9830","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/comments?post=9830"}],"version-history":[{"count":2,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts\/9830\/revisions"}],"predecessor-version":[{"id":10306,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/posts\/9830\/revisions\/10306"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/media\/9831"}],"wp:attachment":[{"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/media?parent=9830"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/categories?post=9830"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cheapwindowsvps.com\/blog\/wp-json\/wp\/v2\/tags?post=9830"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}gpedit.msc<\/code>). If you need to enable the audit policy on multiple computers in an AD domain, use the domain GPO management console<\/a> (gpmc.msc<\/code>).<\/p>\n\n
gpupdate \/force<\/code><\/li>\n<\/ol>\nAuditPol.exe \/list \/subcategory:*<\/code><\/p>\nAuditPol.exe \/set \/subcategory:\"File System\" \/success:enable<\/code><\/p>\nAuditPol.exe \/get \/category:\"Object Access\"<\/code><\/p>\n<\/div>\nHow to Apply an Audit Policy to a Folder or File in Windows<\/h2>\n
\n
Success<\/code>)<\/li>\nList folder\/read data<\/code>, Create files \/ write data<\/code>, Create folders \/ append data<\/code>)<\/li>\n<\/ol>\n\n
$Path = \"C:Docs\"
\n$AuditChangesRules = New-Object System.Security.AccessControl.FileSystemAuditRule('BUILTINUsers', 'Delete,DeleteSubdirectoriesAndFiles', 'none', 'none', 'Success')
\n$Acl = Get-Acl -Path $Path
\n$Acl.AddAuditRule($AuditChangesRules)
\nSet-Acl -Path $Path -AclObject $Acl<\/code><\/p>\n(Get-Acl \"C:Docs\" -Audit).Audit<\/code><\/p>\n<\/code><\/p>\nViewing File System Access Events on Windows<\/h2>\n
\n
eventvwr.msc<\/code>)<\/li>\nMicrosoft Windows security auditing<\/code>, Task Category: File System<\/code><\/p>\n\n
An attempt was made to access an object<\/code>\u201c) contains information about the user who interacted with the file:<\/li>\n<\/ul>\nAccount Name<\/code>:<\/p>\nobject_name<\/code>:<\/p>\nWriteData (or AddFile)<\/code><\/p>\n<\/pre>\n