Re: UserName of the use who last modified a file in Windows

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: "Willy Denoyette [MVP]" <willy.denoyette@xxxxxxxxxx>
Date: Fri, 2 Mar 2007 19:13:44 +0100

"Laura T." <LT@xxxxxxxxxxx> wrote in message news:%23E1%23OGPXHHA.1036@xxxxxxxxxxxxxxxxxxxxxxx

You *could* activate object access auditing and then try to trace the audit events... The audititing system traces the user's SID and the object access. For there you *COULD* in theory to find out who was the last SID manipulating the file.

The audit event 567 can trace that:
"
A permission associated with a handle was used.
Note: A handle is created with certain granted permissions (Read, Write, and so on). When the handle is used, up to one audit is generated for each of the permissions that was used. "

More of it here and why it's not worth of it (I've tried it):

http://blogs.msdn.com/ericfitz/archive/2006/03/07/545726.aspx

Agreed, that's something you can do on a restricted level, say per file basis or folder (by activating the File auditing) depending on the systems activity (number of users number of file accesses etc.), the problem is that the number of events can be so high, that the security log fills very quickly. Also don't underestimate the performance impact of this, especially on a servers, this kind of auditing is done to find illegal object attempts, not really to audit success attempts.
Willy.

.

References:
- UserName of the use who last modified a file in Windows
  - From: mazen . s . m
- Re: UserName of the use who last modified a file in Windows
  - From: Willy Denoyette [MVP]
- Re: UserName of the use who last modified a file in Windows
  - From: mazen . s . m
- Re: UserName of the use who last modified a file in Windows
  - From: Ignacio Machin \( .NET/ C# MVP \)
- Re: UserName of the use who last modified a file in Windows
  - From: Willy Denoyette [MVP]

Prev by Date: Re: Case Insensitive string comparison
Next by Date: Re: MetaData in .txt and .doc
Previous by thread: Re: UserName of the use who last modified a file in Windows
Next by thread: Re: UserName of the use who last modified a file in Windows
Index(es):
- Date
- Thread

Relevant Pages

RE: Critical Errors in Server Performance Report
... You turn off auditing for the Object Access category and the Directory ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ...
(microsoft.public.windows.server.sbs)
HELP - File Auditing
... not automatically trigger any new "object access" audit ... individual objects for audit events to be logged. ... To enable auditing on a file/directory do the following: ... GPEDIT.msc in that server, ...
(microsoft.public.win2000.security)
Re: Windows 2000 Auditing Object Access
... The default domain controllers policy applies to domain controllers. ... The folder has auditing set but when tested by ... >> Auditing of Object Access to work. ... >> default domain controllers policy and have set auditing on a particular ...
(microsoft.public.windows.server.general)
RE: Critical Errors in Server Performance Report
... Failure Auditing is turned ON, these events will definitely be seen. ... You turn on auditing for the Object Access category and the Directory ... Microsoft CSS Online Newsgroup Support ... Critical Errors in Server Performance Report ...
(microsoft.public.windows.server.sbs)
Re: Software auditing: Which one and who installed it
... There is not built in auditing for such and third party programs may be able ... What may help is to enable auditing of object access via security ... Even if an administrator is installing. ...
(microsoft.public.windowsxp.security_admin)