in this video i want to show you how to
find out who accessed your files and
folders
or even try to access your files and
folders in windows 10
by enabling object auditing on your
files and folders
before we begin please note that this
applies only to windows 10
pro enterprise and education
and the file system should be ntfs
so if you have windows 10 home it
doesn't work on windows 10 home
now that being said and because what i'm
going to show you uses group policy
management or security policy management
which is a subset of group policy
management there are out there some
batch files and some scripts
that can enable this on windows 10 home
but this is not officially supported by
microsoft
so here i'm gonna show you only the
supported method
there are three easy steps to achieve
this the first step
is to enable object access auditing on
your windows 10 pc
the second step is to configure auditing
on the selected files and folders
and the third step is simply viewing the
audit log
so let's start with step 1 which is
enabling object access auditing in
windows 10
so on your windows 10 pc start group
policy editor
so click in your search box and type
group
space poll and here you see group policy
alternatively you can start only
security policy which leads
only to the security settings of the
computer but here i'm showing you group
policy
so let me enlarge this a little bit so
that you can see
and here under group policy you see that
you have local computer policy which is
your computer
and you have two branches computer
configuration and user configuration
the one that is of interest to us is
computer configuration
and then under computer configuration
you have windows settings
click on it to expand it and then you
have security settings
also click on it to expand it and you
have under security settings
something called advanced audit policy
configuration
so here also click on the small arrow
next to it just to expand it
and then click on system audit policies
and you have a bunch of things here
the one that is of interest to us is
object
access so double click object access
and under object access we have to
enable audit
file system only so double click on it
once again
and here you see click on configure the
following audit events
and then select success and failure
success means that if someone succeeds
in accessing the file that or the folder
that you have audited
it will show you and if someone tried to
access but couldn't do it
it will also show you this is a failure
so click ok here
and with the group policy we have
finished so this was the first part
the second part is to apply
the security policy that we just enabled
to a certain file or folder
so here i'm gonna open documents
and let's say under documents i have
folder called personal
so let's say we have these under
personal
and i want to audit all accesses to
personal
so right click on it click properties
and then click security
under security click advanced
under advanced click auditing
click continue and then here you have to
select
the users you want to audit so
click on add
and then click on select principle and
if you have a user in mind that you want
to audit
you can select it here so let me click
advanced
and find now so you can select either a
user
or you can select a group so we have all
these groups here
and all the users let's say we want to
audit everyone
so if we want to audit everyone we have
to select
the built-in group everyone and then
click ok
and then click ok again and then under
type you notice
that success was selected by default so
click
the drop down list and you see you have
all
fail and success so select all
so this way you will audit the succeeded
attempts
on your files and folders and also the
failed attempts in case
someone who doesn't have access to this
folder try to access it or to this file
of course
and then afterwards here click on full
control
and then click ok
now if you select everyone please note
that
also your user access will be audited so
it's better to select
a group that doesn't contain your user
or select
only one user but here for the purpose
of this video i selected everyone
so here click ok and then
ok again and now personal
is being audited and everything under
personal also is being audited
so let's try to access something under
personal
so i just entered into personal so this
should be
logged into the event log so i'm gonna
show you also how to see the event
viewer log
and let me create a new document so let
me create a bitmap image
and let me delete this new text document
let me go into test and let me also
create
here a rich text document
and let's see now if all these actions
were logged
so to see the actions you need to go
into something called
event viewer so event viewer you have
many ways to
launch it so either in the search box
you can type event
and it will show here you can also right
click the windows logo
and here it is event viewer you can
start computer management
by typing computer
management into the search box
and selecting computer management it is
also under computer management so let's
go with computer management
and here you have something called event
viewer
click on the arrow next to it to expand
it
and under windows logs you have
something called security
and this is a security log where all
accesses should be logged
so let me click on it so here you have
all the accesses that were done on the
folder and the files in the folder
so let's see them let me double click
the first one
you see here under subject you have
first account name
so this is a account that accessed the
object
if you here scroll down a little bit you
see that
the folder test was accessed and what
was the access type keep on scrolling
and you see that the access was reading
the attributes so here you can click on
the next arrow
so here this is important this is an
event saying that
data was written or a file was added you
can click on details to see further
information here
so we have everything here so this is
here the new file that we created
the new rich text document
and this is also important here you see
that we found the event
that is delete event and also if you
click on details you see what was
deleted
so this is a text document was deleted
and by whom it was deleted also and this
is the most important thing
so you can see here who deleted the file
if you scroll up it is this user
and you have the time and you have the
file and you have all the information
you need
but as you noticed it writes lots of
events
so now you have to make a compromise
between selecting
one user only to audit or a small group
of users
or everyone so if you suspect that your
system is under attack
it's always better to audit the everyone
group
for a short period of time and you can
always increase the size of the security
log in event viewer
so that older entries don't get
overwritten if you don't see them for a
couple of days
but i don't advise you to keep the
everyone group
auditing all the time so let me show you
a little bit how to increase
the volume of the security log so here
let me click on close
right click the security log here and
then
click on properties
and then under properties here you can
see you have the maximum log size
so here it's in kilobytes so this is 20
meg so if you want to put it
200 max so just put it here
200 megs so here you have also the
option to overwrite events as needed
meaning if you reach the maximum volume
it will
start overwriting other events and also
you can archive the log when full
or do not overwrite events but clear
load manually but this will block your
system from working
if the event log reaches the maximum
value and you don't clear it
so i advise you to keep it overwrite
events as needed and keep it like this
and let's click ok here so it's only
telling me that
it will set the nearest multiple of 64k
so i'm gonna click on ok so on top of
accessing each event
and then scrolling to see the next one
you can also
either find an event or filter the event
so let me show you both
very quickly so if you right click on
security here
and then select filter current log and
here you have a bunch of options that
you can choose to find the information
you want
and the second method is to right click
security and then click on find
and here also you can put a string and
try to find it
in the log so that was it i hope you
enjoyed this video and found it useful
if you did
please share it subscribe to my channel
and give this video a thumbs up
until next time thank you for watching