0:00:00.240,0:00:02.159
In this video, I want to show you how to

0:00:02.159,0:00:04.319
find out who accessed your files and

0:00:04.319,0:00:05.040
folders,

0:00:05.040,0:00:07.200
or even try to access your files and

0:00:07.200,0:00:08.880
folders in Windows 10

0:00:08.880,0:00:11.759
by enabling object auditing on your

0:00:11.759,0:00:16.080
files and folders.

0:00:16.080,0:00:18.160
Before we begin, please note that this

0:00:18.160,0:00:20.000
applies only to Windows 10

0:00:20.000,0:00:23.439
pro enterprise and education

0:00:23.439,0:00:26.800
and the file system should be NTFs.

0:00:26.800,0:00:29.119
So if you have windows 10 home, it

0:00:29.119,0:00:30.960
doesn't work on Windows 10 home.

0:00:30.960,0:00:33.600
Now, that being said, and because what I'm

0:00:33.600,0:00:35.520
going to show you uses group policy

0:00:35.520,0:00:38.079
management or security policy management,

0:00:38.079,0:00:39.760
which is a subset of group policy

0:00:39.760,0:00:42.239
management. There are out there some

0:00:42.239,0:00:44.160
batch files and some scripts

0:00:44.160,0:00:46.879
that can enable this on Windows 10 home,

0:00:46.879,0:00:48.800
but this is not officially supported by

0:00:48.800,0:00:49.760
Microsoft.

0:00:49.760,0:00:51.680
So here I'm gonna show you only the

0:00:51.680,0:00:53.199
supported method.

0:00:53.199,0:00:55.199
There are three easy steps to achieve

0:00:55.199,0:00:56.399
this the first step

0:00:56.399,0:00:59.280
is to enable object access auditing on

0:00:59.280,0:01:00.800
your windows 10 PC.

0:01:00.800,0:01:02.960
The second step is to configure auditing

0:01:02.960,0:01:05.199
on the selected files and folders.

0:01:05.199,0:01:08.159
And the third step is simply viewing the

0:01:08.159,0:01:09.360
audit log.

0:01:09.360,0:01:11.439
So let's start with step 1, which is

0:01:11.439,0:01:13.840
enabling object access auditing in

0:01:13.840,0:01:15.040
Windows 10.

0:01:15.040,0:01:17.360
So on your Windows 10 PC start group

0:01:17.360,0:01:18.400
policy editor.

0:01:18.400,0:01:21.200
So click in your search box and type

0:01:21.200,0:01:21.759
group

0:01:21.759,0:01:26.880
space poll. And here you see group policy.

0:01:26.880,0:01:28.560
Alternatively, you can start only

0:01:28.560,0:01:30.479
security policy which leads

0:01:30.479,0:01:32.159
only to the security settings of the

0:01:32.159,0:01:34.400
computer. But here I'm showing you group

0:01:34.400,0:01:35.040
policy.

0:01:35.040,0:01:37.040
So let me enlarge this a little bit so

0:01:37.040,0:01:39.439
that you can see.

0:01:39.439,0:01:42.079
And here under group policy, you see that

0:01:42.079,0:01:44.000
you have local computer policy, which is

0:01:44.000,0:01:45.119
your computer.

0:01:45.119,0:01:46.640
And you have two branches computer

0:01:46.640,0:01:48.960
configuration and user configuration.

0:01:48.960,0:01:51.200
The one that is of interest to us is

0:01:51.200,0:01:52.960
computer configuration.

0:01:52.960,0:01:54.799
And then under computer configuration

0:01:54.799,0:01:56.399
you have Windows settings,

0:01:56.399,0:01:59.439
click on it to expand it, and then you

0:01:59.439,0:02:01.200
have security settings.

0:02:01.200,0:02:04.079
Also click on it to expand it, and you

0:02:04.079,0:02:05.680
have under security settings.

0:02:05.680,0:02:07.920
Something called advanced audit policy

0:02:07.920,0:02:09.200
configuration.

0:02:09.200,0:02:12.560
So here, also click on the small arrow

0:02:12.560,0:02:15.680
next to it, just to expand it.

0:02:15.680,0:02:19.280
And then click on system audit policies,

0:02:19.280,0:02:22.640
and you have a bunch of things here.

0:02:22.640,0:02:25.040
The one that is of interest to us is

0:02:25.040,0:02:25.760
object

0:02:25.760,0:02:30.720
access. So double click object access,

0:02:32.000,0:02:34.160
and under object access, we have to

0:02:34.160,0:02:35.360
enable audit

0:02:35.360,0:02:37.760
file system only. So double click on it.

0:02:37.760,0:02:39.680
Once again,

0:02:39.680,0:02:42.000
and here you see, click on configure the

0:02:42.000,0:02:44.640
following audit events,

0:02:44.640,0:02:47.840
and then select success and failure.

0:02:47.840,0:02:51.680
Success means that if someone succeeds

0:02:51.680,0:02:54.400
in accessing the file that or the folder

0:02:54.400,0:02:56.080
that you have audited,

0:02:56.080,0:02:59.440
it will show you and if someone tried to

0:02:59.440,0:03:01.200
access but couldn't do it.

0:03:01.200,0:03:03.840
It will also show you this is a failure.

0:03:03.840,0:03:05.680
So click ok here,

0:03:05.680,0:03:07.599
and with the group policy, we have

0:03:07.599,0:03:10.080
finished. So this was the first part,

0:03:10.080,0:03:13.200
the second part is to apply.

0:03:13.200,0:03:15.840
The security policy that we just enabled

0:03:15.840,0:03:18.080
to a certain file or folder.

0:03:18.080,0:03:21.680
So here I'm gonna open documents.

0:03:21.760,0:03:24.000
And let's say under documents, I have

0:03:24.000,0:03:25.680
folder called personal.

0:03:25.680,0:03:28.080
So let's say we have these under

0:03:28.080,0:03:28.799
personal,

0:03:28.799,0:03:31.360
and I want to audit all accesses to

0:03:31.360,0:03:32.239
personal.

0:03:32.239,0:03:36.480
So right click on it. Click properties

0:03:36.480,0:03:39.599
and then click security,

0:03:39.599,0:03:43.200
under security, click advanced,

0:03:43.200,0:03:46.640
under advanced, click auditing,

0:03:46.640,0:03:50.000
click continue. And then here you have to

0:03:50.000,0:03:50.720
select

0:03:50.720,0:03:53.760
the users you want to audit. So

0:03:53.760,0:03:57.680
click on add.

0:03:57.680,0:04:00.799
And then click on select principle, and

0:04:00.799,0:04:02.560
if you have a user in mind that you want

0:04:02.560,0:04:03.439
to audit.

0:04:03.439,0:04:05.840
You can select it here. So let me click

0:04:05.840,0:04:07.040
advanced,

0:04:07.040,0:04:10.080
and find now so you can select either a

0:04:10.080,0:04:10.959
user,

0:04:10.959,0:04:14.319
or you can select a group. So we have all

0:04:14.319,0:04:15.360
these groups here.

0:04:15.360,0:04:17.759
And all the users. Let's say we want to

0:04:17.759,0:04:18.959
audit everyone.

0:04:18.959,0:04:20.880
So if we want to audit everyone, we have

0:04:20.880,0:04:22.560
to select

0:04:22.560,0:04:25.520
the built-in group everyone and then

0:04:25.520,0:04:27.120
click ok,

0:04:27.120,0:04:30.080
and then click ok again. And then under

0:04:30.080,0:04:31.040
type, you notice

0:04:31.040,0:04:33.919
that success was selected by default. So

0:04:33.919,0:04:34.320
click

0:04:34.320,0:04:36.960
the drop down list. And you see, you have

0:04:36.960,0:04:37.360
all

0:04:37.360,0:04:40.479
fail and success. So select all.

0:04:40.479,0:04:43.280
So this way, you will audit the succeeded

0:04:43.280,0:04:44.080
attempts

0:04:44.080,0:04:46.720
on your files and folders and also the

0:04:46.720,0:04:48.479
failed attempts in case

0:04:48.479,0:04:51.040
someone who doesn't have access to this

0:04:51.040,0:04:53.440
folder, try to access it or to this file.

0:04:53.440,0:04:54.400
Of course,

0:04:54.400,0:04:56.320
and then afterwards here click on full

0:04:56.320,0:04:58.400
control,

0:04:58.400,0:05:01.360
and then click ok.

0:05:01.440,0:05:04.000
Now, if you select everyone, please note

0:05:04.000,0:05:04.479
that

0:05:04.479,0:05:07.360
also your user access will be audited. So

0:05:07.360,0:05:08.880
it's better to select

0:05:08.880,0:05:11.360
a group that doesn't contain your user,

0:05:11.360,0:05:12.160
or select

0:05:12.160,0:05:14.479
only one user. But here for the purpose

0:05:14.479,0:05:16.880
of this video, I selected everyone.

0:05:16.880,0:05:20.080
So here click ok, and then

0:05:20.080,0:05:23.440
ok again and now personal

0:05:23.440,0:05:25.520
is being audited and everything under

0:05:25.520,0:05:27.680
personal also is being audited.

0:05:27.680,0:05:29.919
So let's try to access something under

0:05:29.919,0:05:31.120
personal.

0:05:31.120,0:05:33.840
So I just entered into personal. So this

0:05:33.840,0:05:34.720
should be

0:05:34.720,0:05:36.560
logged into the event log. So I'm gonna

0:05:36.560,0:05:38.639
show you also how to see the event

0:05:38.639,0:05:39.840
viewer log,

0:05:39.840,0:05:42.720
and let me create a new document. So let

0:05:42.720,0:05:45.199
me create a bitmap image.

0:05:45.199,0:05:48.479
And let me delete this new text document.

0:05:48.479,0:05:51.600
Let me go into test. And let me also

0:05:51.600,0:05:53.280
create

0:05:53.280,0:05:57.039
here a rich text document.

0:05:57.199,0:05:59.759
And let's see now if all these actions

0:05:59.759,0:06:00.560
were logged.

0:06:00.560,0:06:02.880
So to see the actions, you need to go

0:06:02.880,0:06:04.000
into something called

0:06:04.000,0:06:06.720
event viewer. So event viewer, you have

0:06:06.720,0:06:07.840
many ways to

0:06:07.840,0:06:09.600
launch it. So either in the search box,

0:06:09.600,0:06:11.360
you can type event.

0:06:11.360,0:06:13.840
And it will show here you can also right

0:06:13.840,0:06:15.440
click the windows logo,

0:06:15.440,0:06:17.840
and here it is event viewer, you can

0:06:17.840,0:06:20.160
start computer management

0:06:20.160,0:06:23.280
by typing computer

0:06:23.280,0:06:27.039
management into the search box

0:06:27.039,0:06:29.039
and selecting computer management. It is

0:06:29.039,0:06:30.800
also under computer management. So let's

0:06:30.800,0:06:34.720
go with computer management,

0:06:34.720,0:06:36.639
and here, you have something called event

0:06:36.639,0:06:37.840
viewer.

0:06:37.840,0:06:40.080
Click on the arrow next to it to expand

0:06:40.080,0:06:41.039
it,

0:06:41.039,0:06:44.160
and under Windows logs, you have

0:06:44.160,0:06:45.680
something called security,

0:06:45.680,0:06:48.240
and this is a security log where all

0:06:48.240,0:06:50.000
accesses should be logged.

0:06:50.000,0:06:52.319
So let me click on it so here you have

0:06:52.319,0:06:54.000
all the accesses that were done on the

0:06:54.000,0:06:56.080
folder. And the files in the folder.

0:06:56.080,0:06:58.240
So let's see them. Let me double click

0:06:58.240,0:07:00.080
the first one

0:07:00.080,0:07:02.400
you see here under subject, you have

0:07:02.400,0:07:03.759
first account name.

0:07:03.759,0:07:06.800
So this is a account that accessed the

0:07:06.800,0:07:08.000
object.

0:07:08.000,0:07:10.880
If you're here, scroll down a little bit. You

0:07:10.880,0:07:12.240
see that

0:07:12.240,0:07:14.479
the folder test was accessed, and what

0:07:14.479,0:07:18.479
was the access type, keep on scrolling.

0:07:18.479,0:07:20.240
And you see that the access was reading

0:07:20.240,0:07:22.479
the attributes. So here you can click on

0:07:22.479,0:07:23.919
the next arrow.

0:07:23.919,0:07:26.160
So here, this is important. This is an

0:07:26.160,0:07:27.360
event saying that

0:07:27.360,0:07:30.000
data was written or a file was added. You

0:07:30.000,0:07:32.000
can click on details to see further

0:07:32.000,0:07:33.759
information here.

0:07:33.759,0:07:37.039
So we have everything here. So this is

0:07:37.039,0:07:39.120
here the new file that we created

0:07:39.120,0:07:42.560
the new rich text document.

0:07:42.560,0:07:44.639
And this is also important here. You see

0:07:44.639,0:07:46.560
that we found the event,

0:07:46.560,0:07:49.360
that is delete event. And also if you

0:07:49.360,0:07:51.039
click on details, you see what was

0:07:51.039,0:07:52.080
deleted.

0:07:52.080,0:07:54.800
So this is a text document was deleted.

0:07:54.800,0:07:57.280
And by whom it was deleted also, and this

0:07:57.280,0:07:59.440
is the most important thing.

0:07:59.440,0:08:02.479
So you can see here who deleted the file.

0:08:02.479,0:08:06.160
If you scroll up, it is this user

0:08:06.160,0:08:08.400
and you have the time. And you have the

0:08:08.400,0:08:10.319
file, and you have all the information

0:08:10.319,0:08:11.199
you need.

0:08:11.199,0:08:13.680
But as you noticed, it writes lots of

0:08:13.680,0:08:14.400
events.

0:08:14.400,0:08:16.319
So now you have to make a compromise

0:08:16.319,0:08:17.680
between selecting

0:08:17.680,0:08:21.120
one user, only to audit or a small group

0:08:21.120,0:08:21.919
of users

0:08:21.919,0:08:24.400
or everyone. So if you suspect that your

0:08:24.400,0:08:26.000
system is under attack,

0:08:26.000,0:08:29.039
it's always better to audit the everyone

0:08:29.039,0:08:29.599
group

0:08:29.599,0:08:31.919
for a short period of time. And you can

0:08:31.919,0:08:33.919
always increase the size of the security

0:08:33.919,0:08:35.279
log in event viewer.

0:08:35.279,0:08:38.560
So that older entries don't get

0:08:38.560,0:08:40.560
overwritten, if you don't see them for a

0:08:40.560,0:08:41.760
couple of days.

0:08:41.760,0:08:43.760
But I don't advise you to keep the

0:08:43.760,0:08:44.880
everyone group

0:08:44.880,0:08:47.519
auditing all the time. So let me show you

0:08:47.519,0:08:49.120
a little bit how to increase,

0:08:49.120,0:08:51.519
the volume of the security log. So here

0:08:51.519,0:08:53.200
let me click on close,

0:08:53.200,0:08:56.080
right. Click the security log here and

0:08:56.080,0:08:56.880
then,

0:08:56.880,0:09:00.000
click on properties.

0:09:00.000,0:09:01.920
And then under properties here, you can

0:09:01.920,0:09:04.399
see you have the maximum log size.

0:09:04.399,0:09:07.360
So here it's in kilobytes. So this is 20

0:09:07.360,0:09:09.920
mega. So if you want to put it,

0:09:09.920,0:09:13.680
200 max. So just put it here

0:09:13.680,0:09:15.920
200 megs. So here you have also the

0:09:15.920,0:09:18.399
option to overwrite events as needed,

0:09:18.399,0:09:21.600
meaning if you reach the maximum volume,

0:09:21.600,0:09:22.000
it will

0:09:22.000,0:09:25.600
start overwriting other events. And also

0:09:25.600,0:09:27.839
you can archive the log when full

0:09:27.839,0:09:30.080
or do not overwrite events but clear

0:09:30.080,0:09:31.920
load manually. But this will block your

0:09:31.920,0:09:33.200
system from working,

0:09:33.200,0:09:35.200
if the event log reaches the maximum

0:09:35.200,0:09:37.839
value, and you don't clear it.

0:09:37.839,0:09:40.000
So I advise you to keep it overwrite

0:09:40.000,0:09:43.600
events as needed. And keep it like this,

0:09:43.600,0:09:46.880
and let's click ok here. So it's only

0:09:46.880,0:09:47.760
telling me that

0:09:47.760,0:09:51.200
it will set the nearest multiple of 64k.

0:09:51.200,0:09:54.399
So I'm gonna click on ok. So on top of

0:09:54.399,0:09:55.839
accessing each event,

0:09:55.839,0:09:58.160
and then scrolling to see the next one,

0:09:58.160,0:09:59.440
you can also

0:09:59.440,0:10:01.680
either find an event, or filter the event.

0:10:01.680,0:10:02.800
So let me show you both

0:10:02.800,0:10:05.120
very quickly. So if you right click on

0:10:05.120,0:10:06.399
security here,

0:10:06.399,0:10:09.040
and then select filter current log and

0:10:09.040,0:10:10.959
herem you have a bunch of options that

0:10:10.959,0:10:12.800
you can choose to find the information

0:10:12.800,0:10:14.240
you want,

0:10:14.240,0:10:17.120
And the second method is to right click

0:10:17.120,0:10:19.440
security, and then click on find.

0:10:19.440,0:10:21.600
And here also you can put a string and

0:10:21.600,0:10:22.640
try to find it

0:10:22.640,0:10:25.760
in the log. So that was it. I hope you

0:10:25.760,0:10:27.519
enjoyed this video, and found it useful

0:10:27.519,0:10:28.240
if you did.

0:10:28.240,0:10:30.399
Please share it. Subscribe to my channel,

0:10:30.399,0:10:32.000
and give this video a thumbs up.

0:10:32.000,0:10:36.160
Until next time, thank you for watching.