Xp file monitor5/8/2023 SYNCHRONIZE: Granted by D:(A ID FA S-1-5-21-597862309-2018615179-2090787082-1000)Īs you read through this, you can see I accessed Address Labels.docx using the WINWORD.EXE program and my accesses included READ_CONTROL and my access reasons were also READ_CONTROL. Transaction ID: ĪppendData (or AddSubdirectory or CreatePipeInstance)Īccess Reasons: READ_CONTROL: Granted by Ownership Object Name: C:\Users\Aseem\Desktop\Tufu\New Text Document.txt This is the information from the screen above: If you want to get more information about an event, simply double click on it to view. This is the event associated with a particular user performing a File System action and will give you the relevant information without having to look through thousands of entries. In the Event ID box, type in the number 4656. If there is no option for Filter, then right-click on the Security log in the left-hand page and choose Filter Current Log. Click on the View menu at the top and click on Filter. In order to make it easier to look through so many events, you can put a filter and just see the important stuff. In Windows 7, everything now shows up under File System task category, so in order to see what happened, you’ll have to click on each one and scroll through it. These pertain to any delete, create, read, write operations on the folders/files you are auditing. If you go ahead and create a file or simply open the folder and click the Refresh button in the Event Viewer (the button with the two green arrows), you’ll see a bunch of events in the category of File System. Click on the Security section and you’ll see a large listing of events on the right hand side: In order to view the events, you need to go to the Control Panel and click on Administrative Tools. And now you have successfully configured auditing on a folder! So you might ask, how do you view the events? Now click OK and click OK again and OK one more time to get out of the multiple dialog box set. This way, whatever is done to that folder or the files within it, you will have a record. ![]() To make things easier, I suggest selecting Full Control, which will automatically select all the other options below it. You can individually choose which types of activity you want to track, such as deleting or creating new files/folders, etc. Here is where you’ll select what you want to watch for this folder. This is the real meat of what we’ve been wanting to do. The box will automatically update with the name of the local users group for your computer in the form COMPUTERNAME\Users.Ĭlick OK and now you’ll get another dialog called “ Audit Entry for X“. In the box, type in the word “ users” and click Check Names. A dialog will appear asking you to select a User or Group. This is where we’ll actually configure what we want to monitor for this folder. Now click on the Advanced button and click on the Auditing tab. Click on the Security Tab and you see something similar to this: In Explorer, right click on the folder and click Properties. Now navigate to the folder using Windows Explorer that you would like to monitor. You can close out of the Group Policy console now. Now the next step is to tell it what EXACTLY we want to track. Click OK and now we’re done the first part which is telling Windows that we want it to be ready to monitor changes. Now check the setting for Audit Object Access by double clicking on it and selecting both Success and Failure. Audit policy is what controls whether or not the operating system is configured and ready to track changes. Now you’ll see a set of policies and their current settings on the right hand side. I’m not going to explain much of the other settings here since this is primarily focused on auditing a folder. In our case we’re going to want our setting to be for all users, so we’ll expand the Computer Configuration section.Ĭontinue expanding to Windows Settings -> Security Settings -> Local Policies -> Audit Policy. As you might have guessed, the user policies control the settings for each user whereas the computer settings will be system wide settings and will effect all users. There are two main categories of policies: User and Computer. ![]() ![]() ![]() Now you should see something that is similar to the image below: In Windows 8, simply go to the Start Screen and start typing or move your mouse cursor to the far top or bottom right of the screen to open the Charms bar and click on Search. In Windows 7, you would just click on the Start button and type gpedit.msc into the search box at the bottom of the Start Menu. In the text box, type “ gpedit.msc” without the quotes as shown below: In Windows XP, to get to the policy editor, click on Start and then Run.
0 Comments
Leave a Reply. |