{"id":251,"date":"2013-04-25T03:30:56","date_gmt":"2013-04-25T03:30:56","guid":{"rendered":"http:\/\/www.itcrumbs.com\/?p=251"},"modified":"2019-02-07T04:40:11","modified_gmt":"2019-02-07T04:40:11","slug":"how-can-i-figure-out-which-user-modified-a-file","status":"publish","type":"post","link":"http:\/\/www.itcrumbs.com\/?p=251","title":{"rendered":"How can I figure out which user modified a file?"},"content":{"rendered":"<p><a title=\"http:\/\/blogs.msdn.com\/b\/oldnewthing\/archive\/2013\/04\/18\/10412074.aspx\" href=\"http:\/\/blogs.msdn.com\/b\/oldnewthing\/archive\/2013\/04\/18\/10412074.aspx\">http:\/\/blogs.msdn.com\/b\/oldnewthing\/archive\/2013\/04\/18\/10412074.aspx<\/a><\/p>\n<p>&#160;<\/p>\n<p>The <code>Get\u00adFile\u00adTime<\/code> function will tell you <i>when<\/i> a file was last modified, but it won&#8217;t tell you who did it. Neither will <code>Find\u00adFirst\u00adFile<\/code>, <code>Get\u00adFile\u00adAttributes<\/code>, or <code>Read\u00adDirectory\u00adChangesW<\/code>, or <code>File\u00adSystem\u00adWatcher<\/code>. <\/p>\n<p>None of these the file system functions will tell you which user modified a file because the file system doesn&#8217;t keep track of which user modified a file. But there is somebody who <i>does<\/i> keep track: The security event log. <\/p>\n<p>To generate an event into the security event log when a file is modified, you first need to enable auditing on the system. In the <i>Local Security Policy<\/i> administrative tool, go to <i>Local Policies<\/i>, and then double-click <i>Audit Policy<\/i>. (These steps haven&#8217;t changed <a href=\"http:\/\/support.microsoft.com\/kb\/300549\">since Windows 2000<\/a>; the only thing is that the Administrative Tools folder <a href=\"http:\/\/support.microsoft.com\/kb\/310399\">moves around a bit<\/a>.) Under <i>Audit Object Access<\/i>, say that you want an audit raised when access is successfully granted by checking <i>Success (An audited security access attempt that succeeds)<\/i>. <\/p>\n<p>Once auditing is enabled, you can then mark the files that you want to track modifications to. On the <i>Security<\/i> tab of each file you are interested in, go to the <i>Auditing<\/i> page, and select <i>Add<\/i> to add the user you want to audit. If you want to audit all accesses, then you can choose <i>Everyone<\/i>; if you are only interested in auditing a specific user or users in specific groups, you can enter the user or group. <\/p>\n<p>After specifying whose access you want to monitor, you can select what actions should generate security events. In this case, you want to check the <i>Successful<\/i> box next to <i>Create files \/ write data<\/i>. This means &quot;Generate a security event when the user requests and obtains permission to create a file (if this object is a directory) or write data (if this object is a file).&quot; <\/p>\n<p>If you want to monitor an entire directory, you can set the audit on the directory itself and specify that the audit should apply to objects within the directory as well. <\/p>\n<p>After you&#8217;ve set up your audits, you can view the results in <i>Event Viewer<\/i>. <\/p>\n<p>This technique of using auditing to track who is generating modifications also works for registry keys: Under the <i>Edit<\/i> menu, select <i>Permissions<\/i>. <\/p>\n<p><b>Exercise<\/b>: You&#8217;re trying to debug a problem where a file gets deleted mysteriously, and you&#8217;re not sure which program is doing it. How can you use this technique to log an event when that specific file gets deleted?<\/p>\n","protected":false},"excerpt":{"rendered":"<p>http:\/\/blogs.msdn.com\/b\/oldnewthing\/archive\/2013\/04\/18\/10412074.aspx &#160; The Get\u00adFile\u00adTime function will tell you when a file was last modified, but it won&#8217;t tell you who did it. Neither will Find\u00adFirst\u00adFile, Get\u00adFile\u00adAttributes, or Read\u00adDirectory\u00adChangesW, or File\u00adSystem\u00adWatcher. None of these the file system functions will tell you which user modified a file because the file system doesn&#8217;t keep track of which user [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-251","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"http:\/\/www.itcrumbs.com\/index.php?rest_route=\/wp\/v2\/posts\/251","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.itcrumbs.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.itcrumbs.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.itcrumbs.com\/index.php?rest_route=\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"http:\/\/www.itcrumbs.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=251"}],"version-history":[{"count":1,"href":"http:\/\/www.itcrumbs.com\/index.php?rest_route=\/wp\/v2\/posts\/251\/revisions"}],"predecessor-version":[{"id":713,"href":"http:\/\/www.itcrumbs.com\/index.php?rest_route=\/wp\/v2\/posts\/251\/revisions\/713"}],"wp:attachment":[{"href":"http:\/\/www.itcrumbs.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=251"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.itcrumbs.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=251"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.itcrumbs.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=251"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}