Event ID 5145 – Detailed File Share Auditing

Description

   The Event ID 5145 is controlled by the security policy setting Detailed File Share Auditing which allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed and it includes detailed information about the permissions or other criteria used to grant or deny access.

Note: Event 5145 – Detailed File Share Auditing is available only from Windows 2008 R2 and later versions/Windows 7 and later versions.

Summary

Event 5145 Sample Source

  This is the sample event (5145) source which I got while renaming(Rename Action) the New Text Document.txt file

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          29/10/2013 1:43:34 PM
Event ID:      5145
Task Category: Detailed File Share
Keywords:      Audit Success
Computer:      myfileServer.myDomain.local
Description:
A network share object was checked to see whether client can be granted desired access.
 
Subject:
 Security ID:  myDomainAdministrator
 Account Name:  Administrator
 Account Domain:  myDomain
 Logon ID:  0x37d7f

Network Information: 
 Object Type:  File
 Source Address:  fe80::7053:e964:a753:6842
 Source Port:  32953
 
Share Information:
 Share Name:  *share
 Share Path:  ??C:share
 Relative Target Name: TestNew Text Document.txt

Access Request Information:
 Access Mask:  0x110080
 Accesses:  DELETE
    SYNCHRONIZE
    ReadAttributes
    
Access Check Results:
 DELETE: Granted by D:(A;OICI;FA;;;WD)
    SYNCHRONIZE: Granted by D:(A;OICI;FA;;;WD)
    ReadAttributes: Granted by D:(A;OICI;FA;;;WD)    

Fine Share Path, Local Path and Source Machine Name

 Find Share Path of the Accessed File:


   In the event source you could see the fields
   Share Name: *share
   Relative Target Name: TestNew Text Document.txt

  – now replace * value in  Share Name: by fileServerName —>myfileServershare
and joining this value with Relative Target Name: will gives the complete share path of the changed file 

    Full share path: myfileServershareTestNew Text Document.txt 

 Find Local Path of the Accessed File:

    In the event source you could see the field
    Share Path: ??C:share – here remove the string ??  and joining this value with Relative Target      Name: will gives the complete local path of the changed file

     Local path: C:shareTestNew Text Document.txt 

 Find user’s Source Machine name:

    One more beauty of this event (5145) is, you can find user’s source machine, it means, from which machine the user has accessed this file server .

   You can see the field      – Source Address: fe80::7053:e964:a753:6842, this is the address of the client computer from which the user accessed this file server.

   You can easily find client machine’s name from Source Address by pinging with the following command

   ping -a  fe80::7053:e964:a753:6842

How to enable Detailed File Share Auditing (Event ID 5145) using Auditpol

     Auditpol.exe is the command line utility tool to change Audit Security settings as category and sub-category level. It is available by default Windows 2008 R2 and later versions/Windows 7 and later versions. By using Auditpol, we can get/set Audit Security settings per user level and computer level.

   Note: You should run Auditpol command with elevated privilege (Run As Administrator);

You can enable audit success event (Event ID 5145) of Detailed File Share Auditing by using following command

Auditpol /set /subcategory:"Detailed File Share" /success:enable

You can enable failure audit event (Event ID 5145) of Detailed File Share Auditing by using following command

Auditpol /set /subcategory:"Detailed File Share" /failure:enable

How to enable Event ID 5145 – Detailed File Share Auditing through Group Policy

    When you enable this setting through Auditpol command, it will apply only to the local system, however, if you want to enable this setting on all the File Servers in entire Active Directory domain, you need to apply this setting via Group Policy.

1. Open Group Policy Management Console by running the command gpmc.msc


2. Expand the domain node, select and right-click on the OU which contains all the file servers, then click Create a GPO in this domain, and link it here…

Event ID 5145 - Detailed File Share Auditing





3. Type the New GPO name and click OK (Ex: FileSharePolicy)

Event 5145 - Detailed File Share Auditing

4. Right-click on the newly created GPO, then click Edit

Enable Event 5145 - Detailed File Share Auditing

5. Expand the Computer Configuration, and go to the node Advanced Audit Policy Configuration (Computer Configuration->Polices->Windows Settings->Security Settings->Advanced Audit Policy Configuration)

6. Expand this node, go to Object Access (Audit Polices->Object Access), then select the Setting
Audit Detailed File Share Audit

Enable Event 5145 - Detailed File Share Auditing





7. Double-click on  Audit Detailed File Share Audit, then check Success and Failure settings, and then click the button Apply.

8. Run the command GPUpdate /force to apply this setting in all the all the File Servers

How to disable/stop Event 5145-Detailed File Share Auditing

    You can disable audit success event (Event ID 5145) of Detailed File Share Auditing by using following command

Auditpol /set /subcategory:"Detailed File Share" /success:disable

You can disable failure audit event (Event ID 5145) of Detailed File Share Auditing by using following command

Auditpol /set /subcategory:"Detailed File Share" /failure:disable

You can also stop this event by removing the success and failure setting from the GPO in the setting path  Computer Configuration->Polices->Windows Settings->Security Settings->Advanced Audit Policy Configuration->Audit Polices->Object Access->Audit Detailed File Share Audit.

You need to refresh/update GPO for every change by running the command GPUpdate/force.

Note : This article is applies to Windows Server 2008 R2, Windows Server 2012, Windows 7 and Windows 8.

Thanks,
Morgan
Software Developer

Advertisement

2 thoughts on “Event ID 5145 – Detailed File Share Auditing”

  1. Hello, When we see only delete and ReadAttributes in the access section, does it mean that the file has been deleted?
    Can you help me?
    Have a nice day.

    Reply

Leave a Comment