Ask : Add username in file auditing report

Welcome Forums General PowerShell Q&A Ask : Add username in file auditing report

This topic contains 3 replies, has 2 voices, and was last updated by

1 year, 10 months ago.

  • Author
  • #70177

    Points: 0
    Rank: Member

    hi guys just started to learn using powershell, and i got a very good script from some source to make a report to watch for and report file changes using powershell,

    here the script,

    # CLI params for starting and stoppping the watcher
    param (
    [switch]$start = $false,
    [switch]$stop = $false

    Function Register-Watcher {
    # Folder to watch
    param ($watchdir)

    $watchdir = "C:\Users\$env:USERNAME\Documents" # Root path to monitor
    $logfile = "c:\Users\$env:USERNAME\logfile.txt"

    # Filter all files and subdirectories
    $filter = "*.*"
    $watcher = New-Object IO.FileSystemWatcher $watchdir, $filter -Property @{
    IncludeSubdirectories = $true
    EnableRaisingEvents = $true

    # Create the log file if it doesn't exist
    if (!(Test-Path "$logfile")) {
    New-Item -path "$logfile" -type file | Out-Null

    # Define the FS watching behvior
    $action = {
    $path = $Event.SourceEventArgs.FullPath
    $name = $Event.SourceEventArgs.Name
    $changeType = $Event.SourceEventArgs.ChangeType
    $timeStamp = $Event.TimeGenerated
    #$console_message = "The file '$name' was '$changeType' at '$timeStamp'"
    #Write-Host $console_message
    $log_message = "$name, $changeType, $timeStamp"
    Out-File "C:\Users\$env:USERNAME\logfile.txt" -Append -InputObject $log_message

    # Register the FS watcher
    Register-ObjectEvent $watcher Created -SourceIdentifier Created -Action $action
    Register-ObjectEvent $watcher Changed -SourceIdentifier Changed -Action $action
    Register-ObjectEvent $watcher Deleted -SourceIdentifier Deleted -Action $action
    Register-ObjectEvent $watcher Renamed -SourceIdentifier Renamed -Action $action


    # Unregister the FS watcher
    Function Unregister-Watcher() {
    Unregister-Event Created
    Unregister-Event Changed
    Unregister-Event Deleted
    Unregister-Event Renamed

    Function Main() {

    # Start the watcher
    if ($start) {
    Write-Host "Starting FS watcher" -fore green
    Register-Watcher $watchdir
    # Stop the watcher
    elseif ($stop) {
    Write-Host "Stopping FS watcher" -fore red
    # Otherwise error
    else {
    Write-Host "Invalid arguments"
    Write-Host $args.Length

    # Script entrypoint

    the thing is, the report is didn't show the user who do the file change,
    can all you help what command need to use so the report also show the username who did the change to the file please.

    thank in advance

  • #70185

    Points: 24
    Team Member
    Rank: Member

    You'll need to enable NTFS file system auditing to get user details. Once enabled you can get the information from the Windows Security event log and forward it to a central log collector to analyse. Much more reliable than running a file system watcher via PowerShell or C# because NTFS file system auditing is embedded into the NTFS file system driver of Windows.

  • #70279

    Points: 0
    Rank: Member

    hi daniel,
    i've allready set the file auditing that your said, so event log show me if there a change in some directory,
    but i want to make a report and save it into .txt file,

    here the example when i run script above
    report in txt

    but in that file is there is no username who did the audit.
    can you give an advice how to do that please?

  • #70288

    Points: 24
    Team Member
    Rank: Member

    You'll need to extract the SubjectUserName and SubjectDomainName in the XML data of the event log entry.

The topic ‘Ask : Add username in file auditing report’ is closed to new replies.

denizli escort samsun escort muğla escort ataşehir escort kuşadası escort