Using PowerShell for File and Folder Auditing

Often, in enterprise environments especially, it is useful to keep track of certain activities — like when files have been modified, who modified them and at what time. This is the basis for file auditing and in this post we will explore some of the basics of getting file and folder auditing setup in Windows-based environments using Powershell.

Enable File and Folder Auditing

File auditing is a big box to check off the list in enterprise environments. It shows auditors a very nice trail of who has accessed files and at what times. It is also very nice to have a record of when files were deleted and by whom. In the case where somebody comes and asks if you can recover a file, you can just go look at your audit logs and reports to determine when the file was deleted, then you can use your favorite backup and restore tool to go back to a date previous to when the file deletion occurred and grab it.

The method I’m using for turning on file and folder auditing was adapted from this guide.

Open Administrative tools (by Windows search or by navigating through control panel), click “Local Security Policy” -> Pull open “Local Policies” -> “Audit Policy” -> Select “Audit object access” and choose Success and Failure, then click apply and ok.

powershell file folder auditing

When it’s done it should look similar to the following screenshot:

powershell file folder auditing access

Configure Auditing

Now that the file and folder security policy has been configured globally, you can apply it to specific files and folders.

This step requires admin privileges. Choose the folder to enable auditing for, right click -> Properties -> Open the “Security” tab -> Click “Advanced” -> Open the “Auditing” tab. It should bring you to a screen similar to the following.

powershell file folder audit

Click “Continue.” You will need to choose EVERYONE as the Principal here. This basically will ensure that all users that access the files will be audited. This setting can be specified for groups but in this example, I’m just keeping things simple.

powershell file and folder audit

Note the “Type” is set to all. You can choose to audit either success or fail or both, which is what we’re looking for in this example. Also change “Applies to” to this folder, subfolder and files. This ensures that everything in the example folder gets audited.

Now that everything is configured we can test out the auditing.

Use Powershell to Work with Event Logs

To work with the Windows Event logs you will need to be in an elevated Admin prompt.

One thing that is important to know about when creating the Powershell script is how events are labeled in the Windows event log. Below is a mapping of Event IDs along with their associated actions in the Windows OS.

4656 – a handle was requested
4659 – handle was requested with intent to delete
4660 – delete confirmation for created/deleted/recycled objects
4663 – object access
0x10000 = object delete/overwrite/rename/move
0x2 = object modified
0x80 = read attributes

With this information in mind, we can start writing our script to audit file access. The bulk of the log processing is accomplished via the Get-WinEvent cmdlet.

There is a nice read here regarding the differences between Get-WinEvent and Get-EventLog. The long and short of it is that Get-EventLog is much slower and is pretty much only useful for legacy systems at this point. For most log processing these days, use Get-WinEvent.

Basically, the idea is to iterate over the Windows event log messages to 1) determine if the log was a file access Object and 2) figure out what kind of file access object it was, if it is the kind of log we were looking for originally. Outside of this logic there is some code for cleaning things up, weeding out false positives, handling some edge cases and creating the reports,

I can’t take much credit for this method because my script is basically adapted from this script originally. The main difference is that I added HTML reporting, stripped out a few things I didn’t want and polished up the code a little bit. In fact, you could download and run the original script and it would work, there just wouldn’t be any HTML report.

To run my version of the script, make sure to be in an elevated Powershell prompt and download the raw gist.

Then navigate to the location of the script (above I just used my home directory) and execute it.

It takes a minute to run but when it’s done, there should be a new file in C:\Audit\File-Audit-Reports called “Audit of changed files on –

And if you open the file, it should contain the recent changes to items in the configured directory.

powershell file and folder audit

The script also creates an HTML file in the same directory with the same information that the CSV contains.

One thing that might be interesting as an exercise to the user would be to create some graphs/tables in Excel that indicate when files change, or which files get changed the most. The HTML report doesn’t have any styling so adding styling could be another interesting task for the reader.

Wrapping Things Up with PowerShell File and Folder Auditing

If you refer back to my last post we covered steps for running the script as a scheduled task, as well as steps for emailing the reports automatically at a specified time. Setting up automated file audits is easy and it will make many people happy, so it is a win-win scenario for you.

There are a lot of concepts that you will have to learn to get this script working if you are new to Powershell, assuming you didn’t copy/paste the code, including functions, dynamic arrays, hash tables, XML object conversion, WMI, nested looping and some other deeper programming concepts.

These concepts are very valuable and 100% worth learning. I recommend pulling open the script in your favorite text editor and hacking around with it to learn how it works and to begin understanding some of the higher level concepts mentioned above.

All said and done, it is easy to see that a little bit of Powershell magic goes a long way. The logic for creating file audits can be complicated but in the long run is totally worth the effort of learning. Many of the techniques learned here can be applied to more complicated scripting tasks and it always good to learn new things.

BECOME A DEVOPS PRO
FREE DEVOPS COURSE

Get our free DevOps course delivered straight to your inbox! You’ll learn these tactics:

  • Docker Tips and Tricks
  • Agile Methodologies
  • Documentation and Tools Hacks
  • Containerization vs Virtualization

These DevOps lessons will help your team collaborate and become more agile, so sign up now!

Cloud-Based Storage for Small Business

Running or working at a small business brings the joys and trials of filling multiple roles. As a small business owner or employee, you wear many hats. Not only do you have to sell your product, please a client or complete a service (or possibly all of the above), you have to adapt to the changing industry. Continue reading “Cloud-Based Storage for Small Business”

6 Myths About Secure File Transfer

Secure file transfer is a buzzword. Today, most IT professionals interpret it in many ways, ranging from “encrypted file sharing” to “confidential information transfers.” Despite the nuances of defining this term, several common misconceptions still exist in the industry. Here are six myths about secure file transfer that need to be dispelled. Continue reading “6 Myths About Secure File Transfer”

The Practical System Administration Roundup

Whether you’re a new at system administration or an old hand, it’s always great to know someone who is experienced in your profession. In this case, the Practical Sysadmin Josh Reichardt is that helpful resource for your sysadmin needs.

If you’ve missed Josh’s posts on topics ranging from setting up Rancher dev environments to data backups to different prompts to use at the command line, here’s your chance to check them out below. Continue reading “The Practical System Administration Roundup”

March Bracket Challenge: What’s The Scariest Thing Your Users Do?

It’s March, which means one thing here in the U.S. (okay, two if you count St. Patrick’s Day) — it’s tourney time! Everyone fills out their college basketball brackets to see who can pick the best mascots — I mean basketball teams — each game.

To celebrate the Sweet 16, we’ve created our own bracket that we know IT folks will love. A bracket to help you determine what’s the scariest thing your users do! Alright, maybe you’ll love it because two randomly selected people will win a $150 Amazon gift card.

To participate in SmartFile’s bracket challenge, click here. You must submit your brackets by March 29th, 2017! Even if you don’t win, don’t fret, because we will be doing a consolation tournament that we’ll announce on the 30th of March. We’ll also let you know what frightening user activity was most often selected as the champion! Continue reading “March Bracket Challenge: What’s The Scariest Thing Your Users Do?”

SmartFile Enrolls at The Union

SmartFile has moved! If you will recall, we previously had our home in the Stutz building, a great office space with a lot of charm. However, as we’ve grown so have our space requirements.

We wanted to move into a new office that was able to expand as our team grew, so while we were sad to leave the Stutz (and various delicacies from Bearcats) behind, we were excited to move on to bigger opportunities. We were especially excited to move into another historic building with an interesting history. Continue reading “SmartFile Enrolls at The Union”

Letting Toddlers Fly the Airplane: How a Lack of Process and Education Can Kill Technological Solutions

Recently I attended the RSA Conference in San Francisco. Conferences like this are always a great place to learn about new products and trends, not to mention great for networking and picking up potential customers. This massive conference held row after row of cybersecurity and technology corporations vying for my attention and business.

From venerable industry brands to unique startups, everyone was there showing off their problem-solving products. However, they all seemed to be lacking one critical component: a knowledge of end-user processes and the education it takes to see the big picture. Hear me out on this one, because it would seem that the many problems companies have with their technical solutions don’t necessarily call for more technology. Continue reading “Letting Toddlers Fly the Airplane: How a Lack of Process and Education Can Kill Technological Solutions”

My Favorite File Sharing App is Blocked. Help Me, SmartFile!

We get it — you were just trying to do your job. All you wanted was to share that large file with your coworker, client or boss. But alas, your favorite file sharing method has been blocked. Don’t worry — you’re not alone.

Today businesses are moving away from the BYO trend, whether devices (BYOD) or cloud (BYOC) apps, because of the risks they bring in from lack of oversight and transparency for corporations. Continue reading “My Favorite File Sharing App is Blocked. Help Me, SmartFile!”

Swinging for the Fences: Why Selling the Best Solutions Brings the Best Clients

Pain is inevitable. Suffering is optional.

These words, spoken by the remarkable Sean Stephenson (who knows a thing or two about pain and suffering), have been resonating with me lately. We, as humans, are going to experience some kind of pain, but what we do not have to experience is suffering. And while some take this pain and learn from it, others let it needlessly linger. Continue reading “Swinging for the Fences: Why Selling the Best Solutions Brings the Best Clients”