Jump to content











Photo
- - - - -

Tracking access to folders


  • Please log in to reply
10 replies to this topic

#1 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1,396 posts
  • Location:India
  •  
    India

Posted 08 July 2011 - 10:28 AM

A folder is shared on a Windows XP machine in the network with certain people having read/write privileges. What I have to do is to find ANY means to track the users who are accesing this folder & also the actions (e.g. addition/deletion/modification of files) they are performing. Can anybody sugget any way to do that?

#2 steve6375

steve6375

    Platinum Member

  • Developer
  • 5,276 posts
  • Location:UK
  • Interests:computers (!), programming (masm,vb6,C,vbs), OSes, photography,TV,films,guitars
  •  
    United Kingdom

Posted 09 July 2011 - 11:17 AM

If it is an NTFS folder, then you should be able to look at last access times and who has file open or who last modified it, etc.
So you could poll all files to look for changes and then log the changes?
The owner can be found also. Probably a vb script could do this.

See http://www.activexpe...odification.htm


Ensure NTFS Last Access tracking is enabled via setting the registry key 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate' to '0'.



#3 Rui Paz

Rui Paz

    Frequent Member

  • Advanced user
  • 188 posts
  •  
    Portugal

Posted 09 July 2011 - 02:40 PM

Hi,

Windows XP can do it by design check this Microsoft article
"How to audit user access of files, folders, and printers in Windows XP"

http://support.micro...kb/310399/en-us

#4 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1,396 posts
  • Location:India
  •  
    India

Posted 11 July 2011 - 04:36 AM

Windows XP can do it by design check this Microsoft article
"How to audit user access of files, folders, and printers in Windows XP"

http://support.micro...kb/310399/en-us

@Rui Paz

Can you tell me how to or where from the audit log can be accessed?

#5 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1,396 posts
  • Location:India
  •  
    India

Posted 11 July 2011 - 04:39 AM

If it is an NTFS folder, then you should be able to look at last access times and who has file open or who last modified it, etc.
So you could poll all files to look for changes and then log the changes?

@steve6375

Thank you for your help.
Do you have any idea that how to programmatically access the name of the user who has added/deleted/modified something contained in folder residing on NTFS file system?

#6 steve6375

steve6375

    Platinum Member

  • Developer
  • 5,276 posts
  • Location:UK
  • Interests:computers (!), programming (masm,vb6,C,vbs), OSes, photography,TV,films,guitars
  •  
    United Kingdom

Posted 11 July 2011 - 06:35 AM

See http://www.activexpe...odification.htm

Search for the word 'owner'

#7 Rui Paz

Rui Paz

    Frequent Member

  • Advanced user
  • 188 posts
  •  
    Portugal

Posted 11 July 2011 - 09:22 PM

@Rui Paz

Can you tell me how to or where from the audit log can be accessed?


Hi,

The access information is written to the Windows Event Log on the Security events.

#8 Holmes.Sherlock

Holmes.Sherlock

    Gold Member

  • Team Reboot
  • 1,396 posts
  • Location:India
  •  
    India

Posted 12 July 2011 - 08:32 AM

The access information is written to the Windows Event Log on the Security events.

Actually, i've found the location by googling earlier. But, I couldn't find any way either to programmatically access the log or to filter out the required (i.e. access to specific object) events.

#9 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 10,615 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 12 July 2011 - 09:36 AM

Actually, i've found the location by googling earlier. But, I couldn't find any way either to programmatically access the log or to filter out the required (i.e. access to specific object) events.

Hmm :cheers:, that's probably beacause your google-fu is not yet fully developed ;).
See if this fits:
http://www.nirsoft.n...ent_viewer.html

:cheers:
Wonko

#10 steve6375

steve6375

    Platinum Member

  • Developer
  • 5,276 posts
  • Location:UK
  • Interests:computers (!), programming (masm,vb6,C,vbs), OSes, photography,TV,films,guitars
  •  
    United Kingdom

Posted 12 July 2011 - 12:19 PM

Here is vbs script

Run from Admin shell using cscript mytest.vbs



On Error Resume Next

Set dtmConvertedDate = CreateObject("WbemScripting.SWbemDateTime")



intRecordNum = 0

Set objWMI = GetObject("winmgmts:" & "{impersonationLevel=impersonate,(Security)}!\\.\root\cimv2")

Set colLoggedEvents = objWMI.ExecQuery ("Select * from Win32_NTLogEvent Where Logfile = 'Security'" )



For Each objItem in colLoggedEvents

	dtmConvertedDate.Value = objItem.TimeWritten

	dtmDate = dtmConvertedDate.GetVarDate

	Wscript.echo "Source=" & objItem.SourceName & " Time=" & dtmDate

	Wscript.echo "Category: " & objItem.Category & " string " & objItem.CategoryString 

	Wscript.echo "ComputerName: " & objItem.ComputerName 

	Wscript.echo "Logfile: " & objItem.Logfile & " source " & objItem.SourceName 

	Wscript.echo "EventCode: " & objItem.EventCode 

	Wscript.echo "EventType: " & objItem.EventType 

	Wscript.echo "Type: " & objItem.Type 

	Wscript.echo "User: " & objItem.User 

	Wscript.echo "Message: " & objItem.Message

	Wscript.echo (" ")

	intRecordNum = intRecordNum +1

Next



WScript.Quit


#11 Rui Paz

Rui Paz

    Frequent Member

  • Advanced user
  • 188 posts
  •  
    Portugal

Posted 12 July 2011 - 05:32 PM

Actually, i've found the location by googling earlier. But, I couldn't find any way either to programmatically access the log or to filter out the required (i.e. access to specific object) events.


Hi,

Just to say you can enable auditing only for the specific folder and that will narrow the results also steve6375 gives you a good example about accessing Event Viewer information with VBScript.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users