Tracking access to folders

A folder is shared on a Windows XP machine in the network with certain people having read/write privileges. What I have to do is to find ANY means to track the users who are accesing this folder & also the actions (e.g. addition/deletion/modification of files) they are performing. Can anybody sugget any way to do that?

If it is an NTFS folder, then you should be able to look at last access times and who has file open or who last modified it, etc.
So you could poll all files to look for changes and then log the changes?
The owner can be found also. Probably a vb script could do this.

See http://www.activexpe...odification.htm


Ensure NTFS Last Access tracking is enabled via setting the registry key 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate' to '0'.

Hi,

Windows XP can do it by design check this Microsoft article
"How to audit user access of files, folders, and printers in Windows XP"

http://support.micro...kb/310399/en-us

Windows XP can do it by design check this Microsoft article
"How to audit user access of files, folders, and printers in Windows XP"

http://support.micro...kb/310399/en-us

@Rui Paz

Can you tell me how to or where from the audit log can be accessed?

If it is an NTFS folder, then you should be able to look at last access times and who has file open or who last modified it, etc.
So you could poll all files to look for changes and then log the changes?

@steve6375

Thank you for your help.
Do you have any idea that how to programmatically access the name of the user who has added/deleted/modified something contained in folder residing on NTFS file system?

See http://www.activexpe...odification.htm

Search for the word 'owner'

@Rui Paz

Can you tell me how to or where from the audit log can be accessed?

Hi,

The access information is written to the Windows Event Log on the Security events.

The access information is written to the Windows Event Log on the Security events.

Actually, i've found the location by googling earlier. But, I couldn't find any way either to programmatically access the log or to filter out the required (i.e. access to specific object) events.

Actually, i've found the location by googling earlier. But, I couldn't find any way either to programmatically access the log or to filter out the required (i.e. access to specific object) events.

Hmm , that's probably beacause your google-fu is not yet fully developed .
See if this fits:
http://www.nirsoft.n...ent_viewer.html


Wonko

Here is vbs script

Run from Admin shell using cscript mytest.vbs

On Error Resume Next

Set dtmConvertedDate = CreateObject("WbemScripting.SWbemDateTime")



intRecordNum = 0

Set objWMI = GetObject("winmgmts:" & "{impersonationLevel=impersonate,(Security)}!\\.\root\cimv2")

Set colLoggedEvents = objWMI.ExecQuery ("Select * from Win32_NTLogEvent Where Logfile = 'Security'" )



For Each objItem in colLoggedEvents

	dtmConvertedDate.Value = objItem.TimeWritten

	dtmDate = dtmConvertedDate.GetVarDate

	Wscript.echo "Source=" & objItem.SourceName & " Time=" & dtmDate

	Wscript.echo "Category: " & objItem.Category & " string " & objItem.CategoryString 

	Wscript.echo "ComputerName: " & objItem.ComputerName 

	Wscript.echo "Logfile: " & objItem.Logfile & " source " & objItem.SourceName 

	Wscript.echo "EventCode: " & objItem.EventCode 

	Wscript.echo "EventType: " & objItem.EventType 

	Wscript.echo "Type: " & objItem.Type 

	Wscript.echo "User: " & objItem.User 

	Wscript.echo "Message: " & objItem.Message

	Wscript.echo (" ")

	intRecordNum = intRecordNum +1

Next



WScript.Quit

Actually, i've found the location by googling earlier. But, I couldn't find any way either to programmatically access the log or to filter out the required (i.e. access to specific object) events.

Hi,

Just to say you can enable auditing only for the specific folder and that will narrow the results also steve6375 gives you a good example about accessing Event Viewer information with VBScript.