Skip to main content
Kofax

Windows Auditing to Monitor File or Folder Changes

3024887
3024887

Question / Problem: 

How to use Windows Auditing to determine which user, group, or program made changes to a file or folder

Answer / Solution: 

Windows Auditing is a feature built into Windows that can be used to monitor access to a file or folder over a long period of time with very little overhead. When Windows Auditing detects that the file or folder has been accessed, it writes an event to the Event Viewer Security log.

To turn on Windows Auditing:

  1. Run secpol.msc to open the Local Security Policy Management Console

  2. If a User Access Control (UAC) prompt appears, Click Continue. If prompted for an administrator password or confirmation, type the password or provide confirmation.

  3. In the left pane, double-click Local Policies, and select Audit Policy.

  4. Double-click Audit object access.

  5. Check the Success and Failure check boxes, and click OK.


To allow Windows Auditing to monitor which user, group, or program made changes to a file or folder:

  1. Right-click the file for folder that will be monitored, and click Properties.

  2. Select the Security tab | Advanced | Auditing tab.

  3. If a User Access Control (UAC) prompt appears, Click Continue. If prompted for an administrator password or confirmation, type the password or provide confirmation.

  4. Click Add.

  5. In the Enter the object name to select box, add the Everyone group.

  6. Click OK in each of the four open dialog boxes.

  7. Check the check boxes for Create Files/Write Data and Create Folders/Append Data
     
  8. Click OK.

 

Applies to:  

Product Version
CAPTURE 11.0
EXPRESS 3.2
KFS 4.1
  4.3
VRS 4.5
  5.1
  5.1.1
  5.1.2
  5.2

 

 

  • Was this article helpful?