Saturday, 1 November 2014

How to Track File Access, Modify and Delete Actions in Windows Folder

Monitoring who accessed, modified, created, or deleted a File in Windows Folder is one of the frequent task for everyone. In Windows, we can easily track who and when the particular file was accessed or modified by using built-in Windows Auditing. The file access and file change auditing is controlled by Object Access Audit Policy of Group Policy and Audit Security (SACL) of the file or folder which we want to monitor. Once we configured these two settings, we will get following two events for every file access and file changes.

Event 4656 - A handle to access a file or folder was requested.
Event 4663 - An attempt was made to access or change a file (file create, file delete and file change).

Summary:

Steps to Enable Object Access (File Access) Audit Policy

This audit security setting determines whether the OS audits user attempts to access file and folder. File Access Audit events are only generated for File or Folder that have system access control lists (SACL) specified, so don't forget to configure File Access Audit Security (SACL) for the file which you want to monitor user access activity.

Follow the below steps to configure File Access Audit Policy to monitor file access, file delete, file change and file creation:

Note: You should also configure File Access Audit Security settings on the folder or file which you want to monitor file access and file change to get the events.

1. Open the Local Security Policy by running the command secpol.msc.

How to Track File Access in Windows Folder

2. Navigate to the node Audit Policy (Security Settings/Local Policies/Audit Policy). In right-hand side, select the setting Audit object access.

How to Track a File Access in Windows Folder

3. Double-click on Audit object access, and check the Audit options Success and Failure to monitor successful file accesses and access denied file accesses and file changes.

How to Track File Access in Windows

4. Click the button Apply to configure setting.

Steps to Enable File Access Audit Security (SACL)


System Access Control Lists (SACL) determines file access events for the particular File should generated or not. So that, you should enable SACL for the File or Folder which you want monitor or track file access and file change events.

Follow the below steps to enable File Access Audit Security:

1. Right-click on the Folder which you want to configure audit events, and click Properties.

Steps to Enable File Access Auditing Event IDs

2. Select Security tab, and click Advanced button.

Steps to Enable Event IDs to Track File Access

3. Navigate to the tab Audit, and click Add button.

How to find who accessed a File in Windows Folder

4. Select the account Everyone, and check Successful and Failed Audit options which are you want to audit, click the button OK, and click Apply. 

How to find who accessed a File in Windows Folder

File Access Auditing Event IDs

Once you configured above two settings, now you can see the actual events, to view the file access and file change events, follow the below steps.

1. Open the Run window, type the command eventvwr.msc, and click OK.

How to Track File Access, Modify and Delete Actions in Windows Folder

2. You can see the Event Viewer Management Console, expand the tree node Windows Logs and select Security.
Monitor File Access, File Modify and File Delete

3. Now, you can see lot of events in right-hand side window, but to track file access, we need to check only two event ids, 4656 and 4663. To filter only these two events, right-click on the Security node and click Filter Current Log.
4. Type the event ids 4656 and 4663 as comma separated values and click.

Monitor who accessed a file, who modified a file and who deleted a file

5. Now, result window lists only file access events, you can double-click on any event and check what type action made on the particular file.

Monitor who accessed a file, who modified a file and who deleted a file

4656: This is the first event logged when an user attempts to access the file, this event gives information about what type of access was requested by the user and it will not give info about what type access actually made by user (which is given by the Event ID 4663).

4663: This event gives the info of what type actual operation is done by user on a file. it tells whether the file was created, modified, deleted, or it simply accessed,

4670: This event logged when user changes the permission of the file (security control list).  The event contains the information, who changed the permissions, old and new permissions.

Event 4663 - Delete File Event Source:

File Access Audit Event - 4663


Advertisements
Advertisements

2 comments:

  1. What do you think about
    http://www.trimideas.com/2015/04/auditing-changed-deleted-files.html
    and (because I am realy confused :(
    KR,

    Created/modified:
    - Double 4663 event w/ access mask "Delete" indicates a file created.
    - Single 4663 event w/ access mask "Delete" indicates a file modified.
    - Single 4663 event w/ access mask "0x2" indicates a file was modified.

    Deleted:
    - Single 4663 event w/ access mask "Delete", followed by event 4660 w/ the same handle ID.
    - Single 4659 event.

    Renamed/Moved:
    - Single 4663 event w/ access mask "Delete" followed by another 4663 event w/ "Read Attributes" and the same handle ID.

    ReplyDelete