Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Programmatically determine user who last modified file on Windows?

I've been tasked with writing a simple command line utility in C# that will monitor a directory on a server that several users will be accessing to copy/cut/paste/view data. I used FileSystemWatcher to do this but it's lacking a couple features.

Is it possible to determine the user or at least the computer name from where the file is being accessed/modified?

(Note: This doesn't have to be with FileSystemWatcher, I'm looking for ANY way to do this.)

like image 553
Jamie Curtis Avatar asked Dec 06 '11 20:12

Jamie Curtis


1 Answers

I don't think you'll be able to monitor this from C# directly. Not without the help of the host operating system anyway. Windows and NTFS allow you to audit a particular directory and log the accesses in the Security event log for the host machine (so the server hosting the share would have to audit, not the client).

From KB310399 - How to audit user access of files, folders, and printers in Windows XP

Auditing User Access of Files, Folders, and Printers

The audit log appears in the Security log in Event Viewer. To enable this feature:

  1. Click Start, click Control Panel, click Performance and Maintenance, and then click Administrative Tools.
  2. Double-click Local Security Policy.
  3. In the left pane, double-click Local Policies to expand it.
  4. In the left pane, click Audit Policy to display the individual policy settings in the right pane.
  5. Double-click Audit object access.
  6. To audit successful access of specified files, folders and printers, select the Success check box.
  7. To audit unsuccessful access to these objects, select the Failure check box.
  8. To enable auditing of both, select both check boxes.
  9. Click OK.

Specifying Files, Folders, and Printers to Audit

After you enable auditing, you can specify the files, folders, and printers that you want audited. To do so:

  1. In Windows Explorer, locate the file or folder you want to audit. To audit a printer, locate it by clicking Start, and then clicking Printers and Faxes.
  2. Right-click the file, folder, or printer that you want to audit, and then click Properties.
  3. Click the Security tab, and then click Advanced.
  4. Click the Auditing tab, and then click Add.
  5. In the Enter the object name to select box, type the name of the user or group whose access you want to audit. You can browse the computer for names by clicking Advanced, and then clicking Find Now in the Select User or Group dialog box.
  6. Click OK.
  7. Select the Successful or Failed check boxes for the actions you want to audit, and then click OK.
  8. Click OK, and then click OK.

The process is similar for the server operating systems and Windows Vista/Windows 7. If you go this route, you can have the C# program read the event log (See EventLog class) to look for the data you want.

Note: Starting with vista you must be and (UAC elevated if needed) administrator to read them from code.

like image 141
Joshua Avatar answered Oct 01 '22 09:10

Joshua