{"id":4623,"date":"2013-04-18T07:00:00","date_gmt":"2013-04-18T07:00:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/2013\/04\/18\/how-can-i-figure-out-which-user-modified-a-file\/"},"modified":"2013-04-18T07:00:00","modified_gmt":"2013-04-18T07:00:00","slug":"how-can-i-figure-out-which-user-modified-a-file","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20130418-00\/?p=4623","title":{"rendered":"How can I figure out which user modified a file?"},"content":{"rendered":"<p>The <code>Get&shy;File&shy;Time<\/code> function will tell you <i>when<\/i> a file was last modified, but it won&#8217;t tell you who did it. Neither will <code>Find&shy;First&shy;File<\/code>, <code>Get&shy;File&shy;Attributes<\/code>, or <code>Read&shy;Directory&shy;ChangesW<\/code>, or <code>File&shy;System&shy;Watcher<\/code>.<\/p>\n<p> None of these the file system functions will tell you which user modified a file because the file system doesn&#8217;t keep track of which user modified a file. But there is somebody who <i>does<\/i> keep track: The security event log. <\/p>\n<p> To generate an event into the security event log when a file is modified, you first need to enable auditing on the system. In the <i>Local Security Policy<\/i> administrative tool, go to <i>Local Policies<\/i>, and then double-click <i>Audit Policy<\/i>. (These steps haven&#8217;t changed <a href=\"http:\/\/support.microsoft.com\/kb\/300549\"> since Windows&nbsp;2000<\/a>; the only thing is that the Administrative Tools folder <a href=\"http:\/\/support.microsoft.com\/kb\/310399\"> moves around a bit<\/a>.) Under <i>Audit Object Access<\/i>, say that you want an audit raised when access is successfully granted by checking <i>Success (An audited security access attempt that succeeds)<\/i>. <\/p>\n<p> Once auditing is enabled, you can then mark the files that you want to track modifications to. On the <i>Security<\/i> tab of each file you are interested in, go to the <i>Auditing<\/i> page, and select <i>Add<\/i> to add the user you want to audit. If you want to audit all accesses, then you can choose <i>Everyone<\/i>; if you are only interested in auditing a specific user or users in specific groups, you can enter the user or group. <\/p>\n<p> After specifying whose access you want to monitor, you can select what actions should generate security events. In this case, you want to check the <i>Successful<\/i> box next to <i>Create files \/ write data<\/i>. This means &#8220;Generate a security event when the user requests and obtains permission to create a file (if this object is a directory) or write data (if this object is a file).&#8221; <\/p>\n<p> If you want to monitor an entire directory, you can set the audit on the directory itself and specify that the audit should apply to objects within the directory as well. <\/p>\n<p> After you&#8217;ve set up your audits, you can view the results in <i>Event Viewer<\/i>. <\/p>\n<p> This technique of using auditing to track who is generating modifications also works for registry keys: Under the <i>Edit<\/i> menu, select <i>Permissions<\/i>. <\/p>\n<p> <b>Exercise<\/b>: You&#8217;re trying to debug a problem where a file gets deleted mysteriously, and you&#8217;re not sure which program is doing it. How can you use this technique to log an event when that specific file gets deleted? <\/p>\n","protected":false},"excerpt":{"rendered":"<p>The Get&shy;File&shy;Time function will tell you when a file was last modified, but it won&#8217;t tell you who did it. Neither will Find&shy;First&shy;File, Get&shy;File&shy;Attributes, or Read&shy;Directory&shy;ChangesW, or File&shy;System&shy;Watcher. None of these the file system functions will tell you which user modified a file because the file system doesn&#8217;t keep track of which user modified a [&hellip;]<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[26],"class_list":["post-4623","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-other"],"acf":[],"blog_post_summary":"<p>The Get&shy;File&shy;Time function will tell you when a file was last modified, but it won&#8217;t tell you who did it. Neither will Find&shy;First&shy;File, Get&shy;File&shy;Attributes, or Read&shy;Directory&shy;ChangesW, or File&shy;System&shy;Watcher. None of these the file system functions will tell you which user modified a file because the file system doesn&#8217;t keep track of which user modified a [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/4623","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=4623"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/4623\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=4623"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=4623"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=4623"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}