Windows Auditing to Monitor File or Folder Changes

Issue

How to use Windows Auditing to determine which user, group, or program made changes to a file or folder

 

Cause

Windows Auditing is a feature built into Windows that can be used to monitor access to a file or folder over a long period of time with very little overhead. When Windows Auditing detects that the file or folder has been accessed, it writes an event to the Event Viewer Security log.

 

Solution

To turn on Windows Auditing:

1. Run secpol.msc to open the Local Security Policy Management Console


2. If a User Access Control (UAC) prompt appears, Click Continue. If prompted for an administrator password or confirmation, type the password or provide confirmation.


3. In the left pane, double-click Local Policies, and select Audit Policy.


4. Double-click Audit object access.


5. Check the Success and Failure check boxes, and click OK.

To allow Windows Auditing to monitor which user, group, or program made changes to a file or folder:

1. Right-click the file for folder that will be monitored, and click Properties.


2. Select the Security tab | Advanced | Auditing tab.


3. If a User Access Control (UAC) prompt appears, Click Continue. If prompted for an administrator password or confirmation, type the password or provide confirmation.


4. Click Add.


5. In the Enter the object name to select box, add the Everyone group.


6. Click OK in each of the four open dialog boxes.


7. Check the check boxes for Create Files/Write Data and Create Folders/AppendData
    
8. Click OK.

 

Level of Complexity 

Moderate

 

Applies to  

Product	Version	Build	Environment	Hardware
Kofax VRS	5.2 5.1.2 5.1.1 5.1	ALL	ALL	N/A
Kofax Express	3.3 3.2 3.1	ALL	ALL	N/A
Kofax Capture	11.1 11.0 10.2 10.1 10.0	ALL	ALL	N/A

References

• Create a basic audit policy for an event category - Microsoft Docs
• Apply a basic audit policy on a file or folder - Microsoft Docs

 

Article # 3040239