Author Posts

May 4, 2017 at 2:49 pm

Hi we have created below script to monitor files deleted by users, But it is not showing the user who deleted the file.

it is showing the users who ran the powershell script.

i have tried $UserList and $env:username but no luck

we want exact user who deleted the files. Could you please help me in this

$folder = 'D:' # Enter the root path you want to monitor.

$folder = 'E:' # Enter the root path you want to monitor.

$filter = '*.*' # You can enter a wildcard filter here.

# In the following line, you can change 'IncludeSubdirectories to $true if required.
$fsw = New-Object IO.FileSystemWatcher $folder, $filter -Property @{IncludeSubdirectories = $true;NotifyFilter = [IO.NotifyFilters]'FileName, LastWrite'}

# Here, events are registerd:

Register-ObjectEvent $fsw Deleted -SourceIdentifier FileDeleted -Action {
$name = $Event.SourceEventArgs.Name
$changeType = $Event.SourceEventArgs.ChangeType
$timeStamp = $Event.TimeGenerated
Write-Host "The file '$name' was $changeType at $timeStamp" -fore red
Out-File -FilePath C:\Monitor\FilesDeleted\deletelog.txt -Append -InputObject "The file '$name' was $changeType at $timeStamp $UserList"}

May 4, 2017 at 2:57 pm

$env:username is the currently logged-on user. The FileSystemWatcher has nothing to do with it. $UserList isn't a magical, automatically populated variable – it's empty in your case, because you've not put anything into it. I'm not seeing any cases where FileSystemWatcher provides user information.

https://msdn.microsoft.com/en-us/library/system.io.filesystemeventargs(v=vs.110).aspx lists the available data, which includes change type, full path, and name. Not user.

May 4, 2017 at 3:21 pm

As far as I know you'll need to enable NTFS file system auditing to capture who has done what.

https://blogs.technet.microsoft.com/mspfe/2013/08/26/auditing-file-access-on-file-servers/

Once you've configured it you can access the data via the Windows Security event log. However, it would be best to forward this data to a central logging solution which can analyse these events on the fly.

May 5, 2017 at 10:20 am

Hi Daniel

If i enable NTFS file system auditing in windows does it shows the username who deleted the files in the log file i have created in powershell script ?

or does it creates any other log file.

i have a requirement to show the users in the log file i have created in powershell script

Could you please guide me what i need to do for the above

Thanks in advance

May 5, 2017 at 10:36 am

The user information is being logged into the Windows Security event log once you enable NTFS file system auditing. Your PowerShell script will need to query the event log instead of using the File System Watcher.

NTFS file system auditing can be configured very granular to only log events for certain users, groups and actions. Play around with it and see what you get.

The event ID you need to filter for is 4663. You can find an example script in the following blog post https://blogs.technet.microsoft.com/mspfe/2013/08/26/auditing-file-access-on-file-servers/