files monitor

This topic contains 4 replies, has 3 voices, and was last updated by Profile photo of Daniel Krebs Daniel Krebs 2 months, 2 weeks ago.

  • Author
    Posts
  • #70015
    Profile photo of praveen
    praveen
    Participant

    Hi we have created below script to monitor files deleted by users, But it is not showing the user who deleted the file.

    it is showing the users who ran the powershell script.

    i have tried $UserList and $env:username but no luck

    we want exact user who deleted the files. Could you please help me in this

    $folder = 'D:' # Enter the root path you want to monitor.

    $folder = 'E:' # Enter the root path you want to monitor.

    $filter = '*.*' # You can enter a wildcard filter here.

    # In the following line, you can change 'IncludeSubdirectories to $true if required.
    $fsw = New-Object IO.FileSystemWatcher $folder, $filter -Property @{IncludeSubdirectories = $true;NotifyFilter = [IO.NotifyFilters]'FileName, LastWrite'}

    # Here, events are registerd:

    Register-ObjectEvent $fsw Deleted -SourceIdentifier FileDeleted -Action {
    $name = $Event.SourceEventArgs.Name
    $changeType = $Event.SourceEventArgs.ChangeType
    $timeStamp = $Event.TimeGenerated
    Write-Host "The file '$name' was $changeType at $timeStamp" -fore red
    Out-File -FilePath C:\Monitor\FilesDeleted\deletelog.txt -Append -InputObject "The file '$name' was $changeType at $timeStamp $UserList"}

  • #70090
    Profile photo of Don Jones
    Don Jones
    Keymaster

    $env:username is the currently logged-on user. The FileSystemWatcher has nothing to do with it. $UserList isn't a magical, automatically populated variable – it's empty in your case, because you've not put anything into it. I'm not seeing any cases where FileSystemWatcher provides user information.

    https://msdn.microsoft.com/en-us/library/system.io.filesystemeventargs(v=vs.110).aspx lists the available data, which includes change type, full path, and name. Not user.

  • #70116
    Profile photo of Daniel Krebs
    Daniel Krebs
    Moderator

    As far as I know you'll need to enable NTFS file system auditing to capture who has done what.

    Once you've configured it you can access the data via the Windows Security event log. However, it would be best to forward this data to a central logging solution which can analyse these events on the fly.

    • #70213
      Profile photo of praveen
      praveen
      Participant

      Hi Daniel

      If i enable NTFS file system auditing in windows does it shows the username who deleted the files in the log file i have created in powershell script ?

      or does it creates any other log file.

      i have a requirement to show the users in the log file i have created in powershell script

      Could you please guide me what i need to do for the above

      Thanks in advance

    • #70216
      Profile photo of Daniel Krebs
      Daniel Krebs
      Moderator

      The user information is being logged into the Windows Security event log once you enable NTFS file system auditing. Your PowerShell script will need to query the event log instead of using the File System Watcher.

      NTFS file system auditing can be configured very granular to only log events for certain users, groups and actions. Play around with it and see what you get.

      The event ID you need to filter for is 4663. You can find an example script in the following blog post https://blogs.technet.microsoft.com/mspfe/2013/08/26/auditing-file-access-on-file-servers/

You must be logged in to reply to this topic.