How can I figure out which user modified a file?

The Get­File­Time function will tell you when a file was last modified, but it won't tell you who did it. Neither will Find­First­File, Get­File­Attributes, or Read­Directory­ChangesW, or File­System­Watcher.

None of these the file system functions will tell you which user modified a file because the file system doesn't keep track of which user modified a file. But there is somebody who does keep track: The security event log.

To generate an event into the security event log when a file is modified, you first need to enable auditing on the system. In the Local Security Policy administrative tool, go to Local Policies, and then double-click Audit Policy. (These steps haven't changed since Windows 2000; the only thing is that the Administrative Tools folder moves around a bit.) Under Audit Object Access, say that you want an audit raised when access is successfully granted by checking Success (An audited security access attempt that succeeds).

Once auditing is enabled, you can then mark the files that you want to track modifications to. On the Security tab of each file you are interested in, go to the Auditing page, and select Add to add the user you want to audit. If you want to audit all accesses, then you can choose Everyone; if you are only interested in auditing a specific user or users in specific groups, you can enter the user or group.

After specifying whose access you want to monitor, you can select what actions should generate security events. In this case, you want to check the Successful box next to Create files / write data. This means "Generate a security event when the user requests and obtains permission to create a file (if this object is a directory) or write data (if this object is a file)."

If you want to monitor an entire directory, you can set the audit on the directory itself and specify that the audit should apply to objects within the directory as well.

After you've set up your audits, you can view the results in Event Viewer.

This technique of using auditing to track who is generating modifications also works for registry keys: Under the Edit menu, select Permissions.

Exercise: You're trying to debug a problem where a file gets deleted mysteriously, and you're not sure which program is doing it. How can you use this technique to log an event when that specific file gets deleted?

Comments (20)
  1. Entegy says:

    I went to go look at the setting to attempt to do the exercise and found out I may have some inadvertent GPO settings preventing me from setting these on a local machine. So thanks Raymond for pointing something out that might be set incorrectly in my org :P

  2. Hello71 says:

    You be lazy and fire up Process Monitor.

  3. A. Skrobov says:

    Answer for Exercise: enable write audit on the parent directory (deleting a file == updating the directory)

  4. Install a file system filter driver that breaks into kd when a filename matching a desired pattern is deleted.

  5. Joshua says:

    Wouldn't it be easier to use FileMon?

    [If the problem is "At some unpredictable time during the next month, the file will be mysteriously deleted," then keeping FileMon running for months on end is a little less convenient. -Raymond]
  6. henke37 says:

    Is it "keep opening and closing it in a tight loop and throw up a MessageBox when the opening fails?"

  7. Gabe says:

    Auditing will tell you who opened the file, not who modified it, so it may be misleading. It should be fine for finding out who deleted a file, though, because the last person who opened a file for delete access is almost certainly the person who deleted it.

  8. John says:

    The exercise asks "which program" is doing the modification.  Does the audit log the name of the program in addition to the user?

  9. Nik says:

    I tried this, but I'm not seeing the expected events in Event Viewer. I'm looking under "Windows Logs/Security". I can see lots of other audit events there, but nothing related to the folder on which I set the audit entries: "Everyone", "Successful", "Create files/write data", "Create folders/append data".

    Am I looking in the right place in Event Viewer ?

  10. Nik says:

    I guess it's not working for me because something keeps resetting the "Audit object access" setting in Local Security Policy. Maybe some kind of group policy thing (it's a domain-joined machine)

  11. Pavel Kostromitinov says:

    Exercise answer – either write audit on a containing directory (may contain too many entries though), or set Deny Delete permission for everyone and audit for delete failure.

  12. ErikF says:

    For the exercise question, you'll have to probably also set up service accounts. Otherwise, if a service is deleting the file, the audit entry will only indicate that "Network Service", "Local Service" or "Local System" did it (not overly useful in my books.)

  13. gibwar says:

    I answered a question just like this about a year and a half ago at…/57787. It's nice to see that I was pretty much correct in my answer!

  14. Danny says:

    Using this (IPSec / Event viewer) to verify who (user / program) modified (deleted / updated / created) whatever (folders / files) in order to see if you got malware (rootkit / virus / trojan / worm etc) is pretty much useless. First the amount of events is humanly impossible to handle, second if you don't audit everything for everyone you simply might miss what you hunt. Catch 22. I agree that the combination of IPSec + Event viewer is a great tool for this and covers everything but simply is too much for a mere human. I will simply put with this for 20 more years when current brain mapping power supercomputers will become desktop computers as price and run a AI OS that will have my blessing to keep bad guys away. The future is cyber-war, all around, in every room. Oh, and in 40 years, when 20 years from now supercomputers will become user accessible, we shall see the rise of Skynet :D.

    [This technique is not for detecting malware. Malware always pwns the machine, so you have no guaranteed way of catching it from within the system. This is to catch things like that monthly scheduled task that cleans up old crash dump files, and it has a bug where it's deleting these other files by mistake. -Raymond]
  15. Danny says:

    "This technique is not for detecting malware". Should been <This technique primary goal is not for detecting malware> because I do use it for precisely that, but is soooo damn hard, I literally sleep like a bear in the winter after a day trying to catch a new malware that the anti-virus and all other protection programs fail to detect. When those software fail to detect a new threat the only tool you got is IPSec/Event viewer. Period. Don't get me wrong Ray, it's a very good tool, but it's most valuable piece (detecting everything, 100%, nothing gets under the radar) is also the most tiring from a human perspective. All I am asking is for a little help here from Microsoft – all those money they invested in the past years, buying RAV technology to develop it's own virus protection, deploying Genuine components and so much, just a little part of the money could be poured into making Event viewer a bit friendly from developer perspective. Let's face it, it does not need to be pretty, and is an Administrative Tool, so the average user does not need to fully understand it's capabilities, but for the rest of us, the 10% of population that get's called by friends / family, by us the ones who do use it, make it SQL friendly. The current filtering / grouping of the events is way too hard. Implement some sort of SQL in it as well, make it under some "advanced use" where you can type in SQL commands and have the results you want. Implement only SELECT, and it would be a huge step.

    Yes, I know you are not in that team, but let's face it, it would be treated differently if such a request would come from you then would come from opening a ticket by an outsider like me.

  16. Joker_vD says:

    @Danny: Have you tried PowerShell's Get-Eventlog cmdlet? PowerShell also has Where-Object, Select-Object cmdlets with handy aliases "where" and "select". Pipe it together, write some queries and scripts, you're a programmer, right?

  17. Danny says:

    Right. OK, ty for the tip, I'll check it.

  18. Killer{R} says:

    Just deny 'delete' perrmission for everyone and leave happy user as Bruce Willis leaves aircraft

  19. cheong00 says:

    That means there's no way to get "who modified the files" for Home SKUs of Windows.

Comments are closed.

Skip to main content