There’s a nice little feature built into Windows that lets you track when someone views, edits, or deletes something inside a particular folder. So, if there’s a folder or file that you want to know who’s accessing, here’s the built-in method without having to use third-party software.
This feature is actually part of a Windows security feature called Group Policy, used by most of IT Professionals who manage computers in corporate network through server, however, it can also be used locally on PC without any server. The only downside of using Group Policy is that it is not available in lower versions of Windows. For Windows 7, you need Windows 7 Professional or later. For Windows 8, you need Pro or Enterprise.
The term Group Policy basically refers to a set of registry settings that can be controlled through a graphical user interface. You turn various settings on or off, and these tweaks are then updated in the Windows registry.
In Windows XP, to access the policy editor, click Begin And after that Run. In the text box, type “gpedit.msc” without quotes as shown below:
In Windows 7, you just click the Start button and type gpedit.msc in the search box at the bottom of the Start Menu. In Windows 8, just go to the Start Screen and start typing, or move your mouse pointer to the top or bottom right of the screen to open Charms bar and click Search. Then just type gpedit. You should now see something similar to the image below:
There are two main types of policies: User and Computer. As you might have guessed, the user policy that controls the settings for each user during a computer installation will be a system-wide setting and will affect all users. In our case, we’ll want our settings to be available to all users, so we’ll expand computer configuration section.
Continue to expand into Install Windows -> Security Settings -> Local Policy -> Audit Policy. I won’t elaborate much on the other settings here as this mainly focuses on checking out a directory. You should now see a set of policies and their current settings on the right side. The audit policy is what controls whether the operating system is configured and ready to track changes.
Now check the settings for Test object access rights by double clicking on it and selecting both Successful and Failure. Click OK and now we’re done with the first part telling Windows we want it ready to track changes. Now the next step is to tell it exactly what we want to track. You can close the Group Policy panel now.
Now navigate to the folder using Windows Explorer that you want to monitor. In Explorer, right click on the folder and click Characteristic. Click Security tab and you see something similar to this:
Now click Advanced and click Audit navigation. This is where we actually configure what we want to monitor for this directory.
Go ahead and click add button. A dialog box will appear asking you to select Users or Groups. In the box, enter the word “user“And click Check name. The box will automatically update with the name of the user group local to your computer in the form COMPUTERNAME\Users.
Click OK and now you will get another dialog named “Check entry for X“. This is the real meat of what we want to do. This is where you will choose what you want to see for this folder. You can individually select each type of activity that you want to track, such as deleting or creating new files/folders, etc. To make things easier, I recommend you to choose Full control, which will automatically select all other options below. Do this for Successful and Failure. This way anything is done to that directory or the files within it you will have a log.
Now click OK and click OK again and OK again to exit out of the set of multiple dialog boxes. And now you have successfully configured checks on a directory! So you may ask, how do you view events?
To view events you need to go to Dashboard and click on Administration tools. Then open Event Viewer. Click Guard and you will see a large list of events on the right side:
If you go ahead and create a file or just open the folder and click the Refresh button in the Events Viewer (the one with two green arrows) you’ll see a bunch of events in the category File system. These operations involve any delete, create, read, write operations on the directories/files that you are inspecting. In Windows 7, everything now shows up in the File System task category, so to see what happened, you’ll have to click on each one and scroll through it.
To make it easier for you to browse through a wide range of events, you can set a filter and view only the important ones. Click View at the top and click Filter. If there is no option for Filter, right click on Security Log on the left page and select Filter Current Log. In the Event ID box, enter the number 4656. This is an event associated with a specific user making File system action and will give you relevant information without having to go through thousands of entries.
If you want more information about an event, just double-click it to view it.
Here is the information from the above screen:
A handle for an object has been requested.
Subjects:
Security ID: Aseem-Lenovo \ Aseem
Account Name: Aseem
Account domain: Aseem-Lenovo
Login ID: 0x175a1
Thing:
Object Server: Security
Object Type: File
Object name: C:\Users\Aseem\Desktop\Tufu\New Text Document.txt
Process ID: 0x16a0
Process information:
Process ID: 0x820
Process name: C:\Windows\explorer.exe
Information Requested Access:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Permissions: DELETE
SYNCHRONIZE
ReadAttributes
In the above example, the working file above is New Text Document.txt in the Tufu folder on my desktop, and the permissions I request are DELETE followed by SYNCHRONIZE. What I did here was delete the file. Here is another example:
Object Type: File
Object Name: C:\Users\Aseem\Desktop\Tufu\Address Labels.docx
Process ID: 0x178
Process information:
Process ID: 0x1008
Process name: C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
Information Requested Access:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Permissions: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
ReadEA
WriteEA
ReadAttributes
WriteAttributes
Access reason: READ_CONTROL: Granted by ownership
SYNC: Issued by D: (A; ID; FA ;;; S-1-5-21-597862309-2018615179-2090787082-1000)
As you read through this you can see that I have accessed Address Labels.docx using the WINWORD.EXE program and my access includes READ_CONTROL and my access reason is also READ_CONTROL. Usually you’ll see more accesses, but focus only on the first because that’s usually the primary type of access. In this case, I just opened the file with Word. It takes a bit of experimentation and reading through the facts to understand what’s going on, but once you’ve tested it it’s a very reliable system. I recommend creating a test folder with the files and performing different actions to see what shows up in the Event Viewer.
It’s quite a lot! A fast and free way to track access permissions or changes to a folder!
