Windows has a nice little feature that lets you keep track of when someone is viewing, editing, or deleting something inside a specified folder. So if there is a folder or file that you want to know who is accessing, then this is a built-in method without using third-party software.
This feature is actually part of a Windows security feature called Group Policy that is used by most IT professionals who manage computers on a corporate network through servers, however it can also be used locally on PCs without any servers. The only downside to using Group Policy is that it is not available in earlier versions of Windows. Windows 7 requires Windows 7 Professional or higher. For Windows 8, you need Pro or Enterprise.
The term Group Policy basically refers to a set of registry settings that can be managed through a graphical user interface. You enable or disable various settings and these changes are then updated in the Windows registry.
In Windows XP, to go to the Policy Editor, click Start and then Run. In the text box, enter “gpedit.msc” without quotes, as shown below:
In Windows 7, you just click the Start button and type gpedit.msc into the search box at the bottom of the Start menu. In Windows 8, simply go to the Start screen and start typing, or move your mouse cursor to the upper or lower right corner of the screen to open the charms bar and click Search. Then just type gpedit. You should now see something similar to the image below:
There are two main categories of policies: user and computer. As you might have guessed, user policies control the settings for each user, whereas the computer settings will be system wide and will affect all users. In our case, we want our settings to be for all users, so we’ll expand the Computer Configuration section.
Continue expanding to Windows Settings Security Settings Local Policies Audit Policy. I won’t explain most of the other settings here, as they are primarily focused on auditing a folder. You will now see a set of policies and their current settings on the right side. Audit policy is what controls whether the operating system is configured and ready to track changes.
Now check the Audit Object Access setting by double clicking it and selecting both Success and Failure. Click OK and we are now done with the first part, which tells Windows that we want it to be ready to track changes. Now the next step is to say EXACTLY what we want to track. You can now close the Group Policy Console.
Now navigate to the folder using Windows Explorer that you want to monitor. In File Explorer, right-click the folder and select Properties. Click the Security tab and you should see something similar to this:
Now click the Advanced button and go to the Auditing tab. This is where we will configure what we want to track for this folder.
Go ahead and click the Add button. A dialog box appears asking you to select a user or group. In the box, enter the word “users” and click Check Names. The field will automatically display the name of the local users group for your computer in the form COMPUTERNAME Users.
Click OK and now you will see another dialog box titled “Audit Entry for X”. This is the real essence of what we wanted to do. This is where you choose what you want to watch for this folder. You can individually choose what types of actions you want to track, such as deleting or creating new files / folders, etc. To make things easier, I suggest choosing “Full Control”, which will automatically select all the other options below it. Do it for success and failure. This way, whatever is done with that folder or files in it, you will have a record.
Now click OK, then OK again and OK again to exit out of the many dialog boxes. And now you have successfully configured auditing for the folder! You may ask, how do you look at events?
To view the events, you need to go to the control panel and click “Administration”. Then open the Event Viewer. Click on the “Security” section and you will see a large list of events on the right:
If you create a file or simply open a folder and click the Refresh button in the Event Viewer (the button with two green arrows), you will see a group of events in the file system category. They refer to any delete, create, read and write operations on folders / files that you check. In Windows 7, everything now appears under the File System task category, so to see what happened, you have to click on each one and scroll through it.
To make it easier to view so many events, you can set a filter and just see the important things. Click the View menu at the top and click Filter. If there is no Filter option, right-click the security log on the left page and select Filter Current Log. In the Event ID field, enter 4656. This event, associated with a specific user performing a file system action, will provide you with relevant information without having to view thousands of records.
If you would like more information about an event, just double click to view it.
This is the information from the screen above:
An object descriptor was requested.
Subject:
Security ID: Aseem-Lenovo Aseem
Account Name: Aseem
Account Domain: Aseem-Lenovo
Login ID: 0x175a1
Object:
Object Server: Security
Object Type: File
Object Name: C : Users Aseem Desktop Tufu New Text Document.txt
Descriptor ID: 0x16a0
Process Information:
Process ID: 0x820
Process Name: C: Windows explorer.exe
Access request information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Access: DELETE
SYNCHRONIZE
ReadAttributes
In the example above, the file I was working on was New Text Document.txt in the Tufu folder on my desktop, and the access I requested was DELETE followed by SYNCHRONIZE. I deleted the file. Here’s another example:
Object type: file
Object name: C: Users Aseem Desktop Tufu Address Labels.docx
Descriptor ID: 0x178
Process Information:
Process ID: 0x1008
Process Name: C: Program Files (x86) Microsoft Office Office14 WINWORD .EXE
Access request information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Access: READ_CONTROL
SYNCHRONIZATION
ReadData (or ListDirectory)
WriteData (or AddFile)
< em> AppendData (or AddSubdirectory or CreatePipeInstance)
ReadEA
WriteEA
ReadAttributes < br /> Record Attributes
Reasons for Access: READ_CONTROL: Proprietary
SYNCHRONIZE: Granted D: (A; ID; FA ;;; S-1-5-21-597862309-2018615179-2090787082 – 1000)
As you read this, you can see that I accessed Address Labels.docx using the WINWORD.EXE program, and my calls included READ_CONTROL, and my reasons for accessing were READ_CONTROL as well. Usually you will see a few sub-accesses, but just focus on the first one as this is usually the main access type. In this case, I just opened the file in Word. It takes a little testing and reading the events to figure out what’s going on, but once you figure it out, it’s a very robust system. I suggest creating a test file folder and following various steps to see what is displayed in the event viewer.
That’s all! A fast and free way to track access to a folder or changes in it!
–