How can I find out who created a file in Windows using .NET?

Question

I need to find out who created a file using .NET

I have already tried the following:

string FileLocation = @"C:\test.txt";
FileInfo droppedFile = new FileInfo(FileLocation);
FileSecurity fileSecurity = droppedFile.GetAccessControl();
IdentityReference identityReference = fileSecurity.GetOwner(typeof(NTAccount));
string userName = identityReference.Value;
Console.WriteLine(userName);

All this returns is "BUILTIN\Administrators"

Am I doing something wrong here? Because when I look at the C:\ in explorer, the owner shows the correct username, when I exectute the code above it returns "BUILTIN\Administrators"

Which isn't even a domain and username, I think it's a security group.

Any help appreciated.

Answer 1

If a user is an administrator, then the files they created are considered to be owned by the whole administrators group, not the individual user.

You can see the same behaviour in Explorer's properties dialog. Annoyingly, I don't think there is any workaround, other than not making users admins.

Edit: This Technet article explains this behaviour in more detail. The rationale is that Windows treats all administrators as a single entity; any administrator on the system can do anything that the other administrators can.

• If one administrator is permissioned on a file, so are all other administrators
• If one administrator is denied access, then likewise the rest of the admins
• And if one administrator owns a file -- the owner of the file is given privileged access to that file -- then all other administrators must also own that file.

Answer 2

Update: I am wrong, there is an owner descriptor for file objects! (where was my head). Have a look at this MSDN article.

Possibly because the file object does not define a creator or owner, but instead is owned by the system itself (builtin\administrators). The "group or user names" list only specifies a list of groups and users that have access to the file, but not a creator specifically.

Best you can do is iterate through the list of "group or user names" and take a best guess which one the creator.