Author Posts

May 5, 2017 at 2:47 am

hi guys just started to learn using powershell, and i got a very good script from some source to make a report to watch for and report file changes using powershell,

here the script,

# CLI params for starting and stoppping the watcher
param (
[switch]$start = $false,
[switch]$stop = $false

Function Register-Watcher {
# Folder to watch
param ($watchdir)

$watchdir = "C:\Users\$env:USERNAME\Documents" # Root path to monitor
$logfile = "c:\Users\$env:USERNAME\logfile.txt"

# Filter all files and subdirectories
$filter = "*.*"
$watcher = New-Object IO.FileSystemWatcher $watchdir, $filter -Property @{
IncludeSubdirectories = $true
EnableRaisingEvents = $true

# Create the log file if it doesn't exist
if (!(Test-Path "$logfile")) {
New-Item -path "$logfile" -type file | Out-Null

# Define the FS watching behvior
$action = {
$path = $Event.SourceEventArgs.FullPath
$name = $Event.SourceEventArgs.Name
$changeType = $Event.SourceEventArgs.ChangeType
$timeStamp = $Event.TimeGenerated
#$console_message = "The file '$name' was '$changeType' at '$timeStamp'"
#Write-Host $console_message
$log_message = "$name, $changeType, $timeStamp"
Out-File "C:\Users\$env:USERNAME\logfile.txt" -Append -InputObject $log_message

# Register the FS watcher
Register-ObjectEvent $watcher Created -SourceIdentifier Created -Action $action
Register-ObjectEvent $watcher Changed -SourceIdentifier Changed -Action $action
Register-ObjectEvent $watcher Deleted -SourceIdentifier Deleted -Action $action
Register-ObjectEvent $watcher Renamed -SourceIdentifier Renamed -Action $action


# Unregister the FS watcher
Function Unregister-Watcher() {
Unregister-Event Created
Unregister-Event Changed
Unregister-Event Deleted
Unregister-Event Renamed

Function Main() {

# Start the watcher
if ($start) {
Write-Host "Starting FS watcher" -fore green
Register-Watcher $watchdir
# Stop the watcher
elseif ($stop) {
Write-Host "Stopping FS watcher" -fore red
# Otherwise error
else {
Write-Host "Invalid arguments"
Write-Host $args.Length

# Script entrypoint

the thing is, the report is didn't show the user who do the file change,
can all you help what command need to use so the report also show the username who did the change to the file please.

thank in advance

May 5, 2017 at 6:00 am

You'll need to enable NTFS file system auditing to get user details. Once enabled you can get the information from the Windows Security event log and forward it to a central log collector to analyse. Much more reliable than running a file system watcher via PowerShell or C# because NTFS file system auditing is embedded into the NTFS file system driver of Windows.

May 8, 2017 at 6:01 am

hi daniel,
i've allready set the file auditing that your said, so event log show me if there a change in some directory,
but i want to make a report and save it into .txt file,

here the example when i run script above
report in txt

but in that file is there is no username who did the audit.
can you give an advice how to do that please?

May 8, 2017 at 11:39 am

You'll need to extract the SubjectUserName and SubjectDomainName in the XML data of the event log entry.