1
00:00:00,240 --> 00:00:02,159
In this video, I want to show you how to

2
00:00:02,159 --> 00:00:04,319
find out who accessed your files and

3
00:00:04,319 --> 00:00:05,040
folders,

4
00:00:05,040 --> 00:00:07,200
or even try to access your files and

5
00:00:07,200 --> 00:00:08,880
folders in Windows 10

6
00:00:08,880 --> 00:00:11,759
by enabling object auditing on your

7
00:00:11,759 --> 00:00:16,080
files and folders.

8
00:00:16,080 --> 00:00:18,160
Before we begin, please note that this

9
00:00:18,160 --> 00:00:20,000
applies only to Windows 10

10
00:00:20,000 --> 00:00:23,439
pro enterprise and education

11
00:00:23,439 --> 00:00:26,800
and the file system should be NTFs.

12
00:00:26,800 --> 00:00:29,119
So if you have windows 10 home, it

13
00:00:29,119 --> 00:00:30,960
doesn't work on Windows 10 home.

14
00:00:30,960 --> 00:00:33,600
Now, that being said, and because what I'm

15
00:00:33,600 --> 00:00:35,520
going to show you uses group policy

16
00:00:35,520 --> 00:00:38,079
management or security policy management,

17
00:00:38,079 --> 00:00:39,760
which is a subset of group policy

18
00:00:39,760 --> 00:00:42,239
management. There are out there some

19
00:00:42,239 --> 00:00:44,160
batch files and some scripts

20
00:00:44,160 --> 00:00:46,879
that can enable this on Windows 10 home,

21
00:00:46,879 --> 00:00:48,800
but this is not officially supported by

22
00:00:48,800 --> 00:00:49,760
Microsoft.

23
00:00:49,760 --> 00:00:51,680
So here I'm gonna show you only the

24
00:00:51,680 --> 00:00:53,199
supported method.

25
00:00:53,199 --> 00:00:55,199
There are three easy steps to achieve

26
00:00:55,199 --> 00:00:56,399
this the first step

27
00:00:56,399 --> 00:00:59,280
is to enable object access auditing on

28
00:00:59,280 --> 00:01:00,800
your windows 10 PC.

29
00:01:00,800 --> 00:01:02,960
The second step is to configure auditing

30
00:01:02,960 --> 00:01:05,199
on the selected files and folders.

31
00:01:05,199 --> 00:01:08,159
And the third step is simply viewing the

32
00:01:08,159 --> 00:01:09,360
audit log.

33
00:01:09,360 --> 00:01:11,439
So let's start with step 1, which is

34
00:01:11,439 --> 00:01:13,840
enabling object access auditing in

35
00:01:13,840 --> 00:01:15,040
Windows 10.

36
00:01:15,040 --> 00:01:17,360
So on your Windows 10 PC start group

37
00:01:17,360 --> 00:01:18,400
policy editor.

38
00:01:18,400 --> 00:01:21,200
So click in your search box and type

39
00:01:21,200 --> 00:01:21,759
group

40
00:01:21,759 --> 00:01:26,880
space poll. And here you see group policy.

41
00:01:26,880 --> 00:01:28,560
Alternatively, you can start only

42
00:01:28,560 --> 00:01:30,479
security policy which leads

43
00:01:30,479 --> 00:01:32,159
only to the security settings of the

44
00:01:32,159 --> 00:01:34,400
computer. But here I'm showing you group

45
00:01:34,400 --> 00:01:35,040
policy.

46
00:01:35,040 --> 00:01:37,040
So let me enlarge this a little bit so

47
00:01:37,040 --> 00:01:39,439
that you can see.

48
00:01:39,439 --> 00:01:42,079
And here under group policy, you see that

49
00:01:42,079 --> 00:01:44,000
you have local computer policy, which is

50
00:01:44,000 --> 00:01:45,119
your computer.

51
00:01:45,119 --> 00:01:46,640
And you have two branches computer

52
00:01:46,640 --> 00:01:48,960
configuration and user configuration.

53
00:01:48,960 --> 00:01:51,200
The one that is of interest to us is

54
00:01:51,200 --> 00:01:52,960
computer configuration.

55
00:01:52,960 --> 00:01:54,799
And then under computer configuration

56
00:01:54,799 --> 00:01:56,399
you have Windows settings,

57
00:01:56,399 --> 00:01:59,439
click on it to expand it, and then you

58
00:01:59,439 --> 00:02:01,200
have security settings.

59
00:02:01,200 --> 00:02:04,079
Also click on it to expand it, and you

60
00:02:04,079 --> 00:02:05,680
have under security settings.

61
00:02:05,680 --> 00:02:07,920
Something called advanced audit policy

62
00:02:07,920 --> 00:02:09,200
configuration.

63
00:02:09,200 --> 00:02:12,560
So here, also click on the small arrow

64
00:02:12,560 --> 00:02:15,680
next to it, just to expand it.

65
00:02:15,680 --> 00:02:19,280
And then click on system audit policies,

66
00:02:19,280 --> 00:02:22,640
and you have a bunch of things here.

67
00:02:22,640 --> 00:02:25,040
The one that is of interest to us is

68
00:02:25,040 --> 00:02:25,760
object

69
00:02:25,760 --> 00:02:30,720
access. So double click object access,

70
00:02:32,000 --> 00:02:34,160
and under object access, we have to

71
00:02:34,160 --> 00:02:35,360
enable audit

72
00:02:35,360 --> 00:02:37,760
file system only. So double click on it.

73
00:02:37,760 --> 00:02:39,680
Once again,

74
00:02:39,680 --> 00:02:42,000
and here you see, click on configure the

75
00:02:42,000 --> 00:02:44,640
following audit events,

76
00:02:44,640 --> 00:02:47,840
and then select success and failure.

77
00:02:47,840 --> 00:02:51,680
Success means that if someone succeeds

78
00:02:51,680 --> 00:02:54,400
in accessing the file that or the folder

79
00:02:54,400 --> 00:02:56,080
that you have audited,

80
00:02:56,080 --> 00:02:59,440
it will show you and if someone tried to

81
00:02:59,440 --> 00:03:01,200
access but couldn't do it.

82
00:03:01,200 --> 00:03:03,840
It will also show you this is a failure.

83
00:03:03,840 --> 00:03:05,680
So click ok here,

84
00:03:05,680 --> 00:03:07,599
and with the group policy, we have

85
00:03:07,599 --> 00:03:10,080
finished. So this was the first part,

86
00:03:10,080 --> 00:03:13,200
the second part is to apply.

87
00:03:13,200 --> 00:03:15,840
The security policy that we just enabled

88
00:03:15,840 --> 00:03:18,080
to a certain file or folder.

89
00:03:18,080 --> 00:03:21,680
So here I'm gonna open documents.

90
00:03:21,760 --> 00:03:24,000
And let's say under documents, I have

91
00:03:24,000 --> 00:03:25,680
folder called personal.

92
00:03:25,680 --> 00:03:28,080
So let's say we have these under

93
00:03:28,080 --> 00:03:28,799
personal,

94
00:03:28,799 --> 00:03:31,360
and I want to audit all accesses to

95
00:03:31,360 --> 00:03:32,239
personal.

96
00:03:32,239 --> 00:03:36,480
So right click on it. Click properties

97
00:03:36,480 --> 00:03:39,599
and then click security,

98
00:03:39,599 --> 00:03:43,200
under security, click advanced,

99
00:03:43,200 --> 00:03:46,640
under advanced, click auditing,

100
00:03:46,640 --> 00:03:50,000
click continue. And then here you have to

101
00:03:50,000 --> 00:03:50,720
select

102
00:03:50,720 --> 00:03:53,760
the users you want to audit. So

103
00:03:53,760 --> 00:03:57,680
click on add.

104
00:03:57,680 --> 00:04:00,799
And then click on select principle, and

105
00:04:00,799 --> 00:04:02,560
if you have a user in mind that you want

106
00:04:02,560 --> 00:04:03,439
to audit.

107
00:04:03,439 --> 00:04:05,840
You can select it here. So let me click

108
00:04:05,840 --> 00:04:07,040
advanced,

109
00:04:07,040 --> 00:04:10,080
and find now so you can select either a

110
00:04:10,080 --> 00:04:10,959
user,

111
00:04:10,959 --> 00:04:14,319
or you can select a group. So we have all

112
00:04:14,319 --> 00:04:15,360
these groups here.

113
00:04:15,360 --> 00:04:17,759
And all the users. Let's say we want to

114
00:04:17,759 --> 00:04:18,959
audit everyone.

115
00:04:18,959 --> 00:04:20,880
So if we want to audit everyone, we have

116
00:04:20,880 --> 00:04:22,560
to select

117
00:04:22,560 --> 00:04:25,520
the built-in group everyone and then

118
00:04:25,520 --> 00:04:27,120
click ok,

119
00:04:27,120 --> 00:04:30,080
and then click ok again. And then under

120
00:04:30,080 --> 00:04:31,040
type, you notice

121
00:04:31,040 --> 00:04:33,919
that success was selected by default. So

122
00:04:33,919 --> 00:04:34,320
click

123
00:04:34,320 --> 00:04:36,960
the drop down list. And you see, you have

124
00:04:36,960 --> 00:04:37,360
all

125
00:04:37,360 --> 00:04:40,479
fail and success. So select all.

126
00:04:40,479 --> 00:04:43,280
So this way, you will audit the succeeded

127
00:04:43,280 --> 00:04:44,080
attempts

128
00:04:44,080 --> 00:04:46,720
on your files and folders and also the

129
00:04:46,720 --> 00:04:48,479
failed attempts in case

130
00:04:48,479 --> 00:04:51,040
someone who doesn't have access to this

131
00:04:51,040 --> 00:04:53,440
folder, try to access it or to this file.

132
00:04:53,440 --> 00:04:54,400
Of course,

133
00:04:54,400 --> 00:04:56,320
and then afterwards here click on full

134
00:04:56,320 --> 00:04:58,400
control,

135
00:04:58,400 --> 00:05:01,360
and then click ok.

136
00:05:01,440 --> 00:05:04,000
Now, if you select everyone, please note

137
00:05:04,000 --> 00:05:04,479
that

138
00:05:04,479 --> 00:05:07,360
also your user access will be audited. So

139
00:05:07,360 --> 00:05:08,880
it's better to select

140
00:05:08,880 --> 00:05:11,360
a group that doesn't contain your user,

141
00:05:11,360 --> 00:05:12,160
or select

142
00:05:12,160 --> 00:05:14,479
only one user. But here for the purpose

143
00:05:14,479 --> 00:05:16,880
of this video, I selected everyone.

144
00:05:16,880 --> 00:05:20,080
So here click ok, and then

145
00:05:20,080 --> 00:05:23,440
ok again and now personal

146
00:05:23,440 --> 00:05:25,520
is being audited and everything under

147
00:05:25,520 --> 00:05:27,680
personal also is being audited.

148
00:05:27,680 --> 00:05:29,919
So let's try to access something under

149
00:05:29,919 --> 00:05:31,120
personal.

150
00:05:31,120 --> 00:05:33,840
So I just entered into personal. So this

151
00:05:33,840 --> 00:05:34,720
should be

152
00:05:34,720 --> 00:05:36,560
logged into the event log. So I'm gonna

153
00:05:36,560 --> 00:05:38,639
show you also how to see the event

154
00:05:38,639 --> 00:05:39,840
viewer log,

155
00:05:39,840 --> 00:05:42,720
and let me create a new document. So let

156
00:05:42,720 --> 00:05:45,199
me create a bitmap image.

157
00:05:45,199 --> 00:05:48,479
And let me delete this new text document.

158
00:05:48,479 --> 00:05:51,600
Let me go into test. And let me also

159
00:05:51,600 --> 00:05:53,280
create

160
00:05:53,280 --> 00:05:57,039
here a rich text document.

161
00:05:57,199 --> 00:05:59,759
And let's see now if all these actions

162
00:05:59,759 --> 00:06:00,560
were logged.

163
00:06:00,560 --> 00:06:02,880
So to see the actions, you need to go

164
00:06:02,880 --> 00:06:04,000
into something called

165
00:06:04,000 --> 00:06:06,720
event viewer. So event viewer, you have

166
00:06:06,720 --> 00:06:07,840
many ways to

167
00:06:07,840 --> 00:06:09,600
launch it. So either in the search box,

168
00:06:09,600 --> 00:06:11,360
you can type event.

169
00:06:11,360 --> 00:06:13,840
And it will show here you can also right

170
00:06:13,840 --> 00:06:15,440
click the windows logo,

171
00:06:15,440 --> 00:06:17,840
and here it is event viewer, you can

172
00:06:17,840 --> 00:06:20,160
start computer management

173
00:06:20,160 --> 00:06:23,280
by typing computer

174
00:06:23,280 --> 00:06:27,039
management into the search box

175
00:06:27,039 --> 00:06:29,039
and selecting computer management. It is

176
00:06:29,039 --> 00:06:30,800
also under computer management. So let's

177
00:06:30,800 --> 00:06:34,720
go with computer management,

178
00:06:34,720 --> 00:06:36,639
and here, you have something called event

179
00:06:36,639 --> 00:06:37,840
viewer.

180
00:06:37,840 --> 00:06:40,080
Click on the arrow next to it to expand

181
00:06:40,080 --> 00:06:41,039
it,

182
00:06:41,039 --> 00:06:44,160
and under Windows logs, you have

183
00:06:44,160 --> 00:06:45,680
something called security,

184
00:06:45,680 --> 00:06:48,240
and this is a security log where all

185
00:06:48,240 --> 00:06:50,000
accesses should be logged.

186
00:06:50,000 --> 00:06:52,319
So let me click on it so here you have

187
00:06:52,319 --> 00:06:54,000
all the accesses that were done on the

188
00:06:54,000 --> 00:06:56,080
folder. And the files in the folder.

189
00:06:56,080 --> 00:06:58,240
So let's see them. Let me double click

190
00:06:58,240 --> 00:07:00,080
the first one

191
00:07:00,080 --> 00:07:02,400
you see here under subject, you have

192
00:07:02,400 --> 00:07:03,759
first account name.

193
00:07:03,759 --> 00:07:06,800
So this is a account that accessed the

194
00:07:06,800 --> 00:07:08,000
object.

195
00:07:08,000 --> 00:07:10,880
If you're here, scroll down a little bit. You

196
00:07:10,880 --> 00:07:12,240
see that

197
00:07:12,240 --> 00:07:14,479
the folder test was accessed, and what

198
00:07:14,479 --> 00:07:18,479
was the access type, keep on scrolling.

199
00:07:18,479 --> 00:07:20,240
And you see that the access was reading

200
00:07:20,240 --> 00:07:22,479
the attributes. So here you can click on

201
00:07:22,479 --> 00:07:23,919
the next arrow.

202
00:07:23,919 --> 00:07:26,160
So here, this is important. This is an

203
00:07:26,160 --> 00:07:27,360
event saying that

204
00:07:27,360 --> 00:07:30,000
data was written or a file was added. You

205
00:07:30,000 --> 00:07:32,000
can click on details to see further

206
00:07:32,000 --> 00:07:33,759
information here.

207
00:07:33,759 --> 00:07:37,039
So we have everything here. So this is

208
00:07:37,039 --> 00:07:39,120
here the new file that we created

209
00:07:39,120 --> 00:07:42,560
the new rich text document.

210
00:07:42,560 --> 00:07:44,639
And this is also important here. You see

211
00:07:44,639 --> 00:07:46,560
that we found the event,

212
00:07:46,560 --> 00:07:49,360
that is delete event. And also if you

213
00:07:49,360 --> 00:07:51,039
click on details, you see what was

214
00:07:51,039 --> 00:07:52,080
deleted.

215
00:07:52,080 --> 00:07:54,800
So this is a text document was deleted.

216
00:07:54,800 --> 00:07:57,280
And by whom it was deleted also, and this

217
00:07:57,280 --> 00:07:59,440
is the most important thing.

218
00:07:59,440 --> 00:08:02,479
So you can see here who deleted the file.

219
00:08:02,479 --> 00:08:06,160
If you scroll up, it is this user

220
00:08:06,160 --> 00:08:08,400
and you have the time. And you have the

221
00:08:08,400 --> 00:08:10,319
file, and you have all the information

222
00:08:10,319 --> 00:08:11,199
you need.

223
00:08:11,199 --> 00:08:13,680
But as you noticed, it writes lots of

224
00:08:13,680 --> 00:08:14,400
events.

225
00:08:14,400 --> 00:08:16,319
So now you have to make a compromise

226
00:08:16,319 --> 00:08:17,680
between selecting

227
00:08:17,680 --> 00:08:21,120
one user, only to audit or a small group

228
00:08:21,120 --> 00:08:21,919
of users

229
00:08:21,919 --> 00:08:24,400
or everyone. So if you suspect that your

230
00:08:24,400 --> 00:08:26,000
system is under attack,

231
00:08:26,000 --> 00:08:29,039
it's always better to audit the everyone

232
00:08:29,039 --> 00:08:29,599
group

233
00:08:29,599 --> 00:08:31,919
for a short period of time. And you can

234
00:08:31,919 --> 00:08:33,919
always increase the size of the security

235
00:08:33,919 --> 00:08:35,279
log in event viewer.

236
00:08:35,279 --> 00:08:38,560
So that older entries don't get

237
00:08:38,560 --> 00:08:40,560
overwritten, if you don't see them for a

238
00:08:40,560 --> 00:08:41,760
couple of days.

239
00:08:41,760 --> 00:08:43,760
But I don't advise you to keep the

240
00:08:43,760 --> 00:08:44,880
everyone group

241
00:08:44,880 --> 00:08:47,519
auditing all the time. So let me show you

242
00:08:47,519 --> 00:08:49,120
a little bit how to increase,

243
00:08:49,120 --> 00:08:51,519
the volume of the security log. So here

244
00:08:51,519 --> 00:08:53,200
let me click on close,

245
00:08:53,200 --> 00:08:56,080
right. Click the security log here and

246
00:08:56,080 --> 00:08:56,880
then,

247
00:08:56,880 --> 00:09:00,000
click on properties.

248
00:09:00,000 --> 00:09:01,920
And then under properties here, you can

249
00:09:01,920 --> 00:09:04,399
see you have the maximum log size.

250
00:09:04,399 --> 00:09:07,360
So here it's in kilobytes. So this is 20

251
00:09:07,360 --> 00:09:09,920
mega. So if you want to put it,

252
00:09:09,920 --> 00:09:13,680
200 max. So just put it here

253
00:09:13,680 --> 00:09:15,920
200 megs. So here you have also the

254
00:09:15,920 --> 00:09:18,399
option to overwrite events as needed,

255
00:09:18,399 --> 00:09:21,600
meaning if you reach the maximum volume,

256
00:09:21,600 --> 00:09:22,000
it will

257
00:09:22,000 --> 00:09:25,600
start overwriting other events. And also

258
00:09:25,600 --> 00:09:27,839
you can archive the log when full

259
00:09:27,839 --> 00:09:30,080
or do not overwrite events but clear

260
00:09:30,080 --> 00:09:31,920
load manually. But this will block your

261
00:09:31,920 --> 00:09:33,200
system from working,

262
00:09:33,200 --> 00:09:35,200
if the event log reaches the maximum

263
00:09:35,200 --> 00:09:37,839
value, and you don't clear it.

264
00:09:37,839 --> 00:09:40,000
So I advise you to keep it overwrite

265
00:09:40,000 --> 00:09:43,600
events as needed. And keep it like this,

266
00:09:43,600 --> 00:09:46,880
and let's click ok here. So it's only

267
00:09:46,880 --> 00:09:47,760
telling me that

268
00:09:47,760 --> 00:09:51,200
it will set the nearest multiple of 64k.

269
00:09:51,200 --> 00:09:54,399
So I'm gonna click on ok. So on top of

270
00:09:54,399 --> 00:09:55,839
accessing each event,

271
00:09:55,839 --> 00:09:58,160
and then scrolling to see the next one,

272
00:09:58,160 --> 00:09:59,440
you can also

273
00:09:59,440 --> 00:10:01,680
either find an event, or filter the event.

274
00:10:01,680 --> 00:10:02,800
So let me show you both

275
00:10:02,800 --> 00:10:05,120
very quickly. So if you right click on

276
00:10:05,120 --> 00:10:06,399
security here,

277
00:10:06,399 --> 00:10:09,040
and then select filter current log and

278
00:10:09,040 --> 00:10:10,959
herem you have a bunch of options that

279
00:10:10,959 --> 00:10:12,800
you can choose to find the information

280
00:10:12,800 --> 00:10:14,240
you want,

281
00:10:14,240 --> 00:10:17,120
And the second method is to right click

282
00:10:17,120 --> 00:10:19,440
security, and then click on find.

283
00:10:19,440 --> 00:10:21,600
And here also you can put a string and

284
00:10:21,600 --> 00:10:22,640
try to find it

285
00:10:22,640 --> 00:10:25,760
in the log. So that was it. I hope you

286
00:10:25,760 --> 00:10:27,519
enjoyed this video, and found it useful

287
00:10:27,519 --> 00:10:28,240
if you did.

288
00:10:28,240 --> 00:10:30,399
Please share it. Subscribe to my channel,

289
00:10:30,399 --> 00:10:32,000
and give this video a thumbs up.

290
00:10:32,000 --> 00:10:36,160
Until next time, thank you for watching.