Tracking access to folders
#1
Posted 08 July 2011 - 10:28 AM
#2
Posted 09 July 2011 - 11:17 AM
So you could poll all files to look for changes and then log the changes?
The owner can be found also. Probably a vb script could do this.
See http://www.activexpe...odification.htm
Ensure NTFS Last Access tracking is enabled via setting the registry key 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate' to '0'.
#3
Posted 09 July 2011 - 02:40 PM
Windows XP can do it by design check this Microsoft article
"How to audit user access of files, folders, and printers in Windows XP"
http://support.micro...kb/310399/en-us
#4
Posted 11 July 2011 - 04:36 AM
@Rui PazWindows XP can do it by design check this Microsoft article
"How to audit user access of files, folders, and printers in Windows XP"
http://support.micro...kb/310399/en-us
Can you tell me how to or where from the audit log can be accessed?
#5
Posted 11 July 2011 - 04:39 AM
@steve6375If it is an NTFS folder, then you should be able to look at last access times and who has file open or who last modified it, etc.
So you could poll all files to look for changes and then log the changes?
Thank you for your help.
Do you have any idea that how to programmatically access the name of the user who has added/deleted/modified something contained in folder residing on NTFS file system?
#6
Posted 11 July 2011 - 06:35 AM
#7
Posted 11 July 2011 - 09:22 PM
@Rui Paz
Can you tell me how to or where from the audit log can be accessed?
Hi,
The access information is written to the Windows Event Log on the Security events.
#8
Posted 12 July 2011 - 08:32 AM
Actually, i've found the location by googling earlier. But, I couldn't find any way either to programmatically access the log or to filter out the required (i.e. access to specific object) events.The access information is written to the Windows Event Log on the Security events.
#9
Posted 12 July 2011 - 09:36 AM
Hmm , that's probably beacause your google-fu is not yet fully developed .Actually, i've found the location by googling earlier. But, I couldn't find any way either to programmatically access the log or to filter out the required (i.e. access to specific object) events.
See if this fits:
http://www.nirsoft.n...ent_viewer.html
Wonko
#10
Posted 12 July 2011 - 12:19 PM
Run from Admin shell using cscript mytest.vbs
On Error Resume Next Set dtmConvertedDate = CreateObject("WbemScripting.SWbemDateTime") intRecordNum = 0 Set objWMI = GetObject("winmgmts:" & "{impersonationLevel=impersonate,(Security)}!\\.\root\cimv2") Set colLoggedEvents = objWMI.ExecQuery ("Select * from Win32_NTLogEvent Where Logfile = 'Security'" ) For Each objItem in colLoggedEvents dtmConvertedDate.Value = objItem.TimeWritten dtmDate = dtmConvertedDate.GetVarDate Wscript.echo "Source=" & objItem.SourceName & " Time=" & dtmDate Wscript.echo "Category: " & objItem.Category & " string " & objItem.CategoryString Wscript.echo "ComputerName: " & objItem.ComputerName Wscript.echo "Logfile: " & objItem.Logfile & " source " & objItem.SourceName Wscript.echo "EventCode: " & objItem.EventCode Wscript.echo "EventType: " & objItem.EventType Wscript.echo "Type: " & objItem.Type Wscript.echo "User: " & objItem.User Wscript.echo "Message: " & objItem.Message Wscript.echo (" ") intRecordNum = intRecordNum +1 Next WScript.Quit
#11
Posted 12 July 2011 - 05:32 PM
Actually, i've found the location by googling earlier. But, I couldn't find any way either to programmatically access the log or to filter out the required (i.e. access to specific object) events.
Hi,
Just to say you can enable auditing only for the specific folder and that will narrow the results also steve6375 gives you a good example about accessing Event Viewer information with VBScript.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users