In this video, I want to show you how to find out who accessed your files and folders, or even try to access your files and folders in Windows 10 by enabling object auditing on your files and folders. Before we begin, please note that this applies only to Windows 10 pro enterprise and education and the file system should be NTFs. So if you have windows 10 home, it doesn't work on Windows 10 home. Now, that being said, and because what I'm going to show you uses group policy management or security policy management, which is a subset of group policy management. There are out there some batch files and some scripts that can enable this on Windows 10 home, but this is not officially supported by Microsoft. So here I'm gonna show you only the supported method. There are three easy steps to achieve this the first step is to enable object access auditing on your windows 10 PC. The second step is to configure auditing on the selected files and folders. And the third step is simply viewing the audit log. So let's start with step 1, which is enabling object access auditing in Windows 10. So on your Windows 10 PC start group policy editor. So click in your search box and type group space poll. And here you see group policy. Alternatively, you can start only security policy which leads only to the security settings of the computer. But here I'm showing you group policy. So let me enlarge this a little bit so that you can see. And here under group policy, you see that you have local computer policy, which is your computer. And you have two branches computer configuration and user configuration. The one that is of interest to us is computer configuration. And then under computer configuration you have Windows settings, click on it to expand it, and then you have security settings. Also click on it to expand it, and you have under security settings. Something called advanced audit policy configuration. So here, also click on the small arrow next to it, just to expand it. And then click on system audit policies, and you have a bunch of things here. The one that is of interest to us is object access. So double click object access, and under object access, we have to enable audit file system only. So double click on it. Once again, and here you see, click on configure the following audit events, and then select success and failure. Success means that if someone succeeds in accessing the file that or the folder that you have audited, it will show you and if someone tried to access but couldn't do it. It will also show you this is a failure. So click ok here, and with the group policy, we have finished. So this was the first part, the second part is to apply. The security policy that we just enabled to a certain file or folder. So here I'm gonna open documents. And let's say under documents, I have folder called personal. So let's say we have these under personal, and I want to audit all accesses to personal. So right click on it. Click properties and then click security, under security, click advanced, under advanced, click auditing, click continue. And then here you have to select the users you want to audit. So click on add. And then click on select principle, and if you have a user in mind that you want to audit. You can select it here. So let me click advanced, and find now so you can select either a user, or you can select a group. So we have all these groups here. And all the users. Let's say we want to audit everyone. So if we want to audit everyone, we have to select the built-in group everyone and then click ok, and then click ok again. And then under type, you notice that success was selected by default. So click the drop down list. And you see, you have all fail and success. So select all. So this way, you will audit the succeeded attempts on your files and folders and also the failed attempts in case someone who doesn't have access to this folder, try to access it or to this file. Of course, and then afterwards here click on full control, and then click ok. Now, if you select everyone, please note that also your user access will be audited. So it's better to select a group that doesn't contain your user, or select only one user. But here for the purpose of this video, I selected everyone. So here click ok, and then ok again and now personal is being audited and everything under personal also is being audited. So let's try to access something under personal. So I just entered into personal. So this should be logged into the event log. So I'm gonna show you also how to see the event viewer log, and let me create a new document. So let me create a bitmap image. And let me delete this new text document. Let me go into test. And let me also create here a rich text document. And let's see now if all these actions were logged. So to see the actions, you need to go into something called event viewer. So event viewer, you have many ways to launch it. So either in the search box, you can type event. And it will show here you can also right click the windows logo, and here it is event viewer, you can start computer management by typing computer management into the search box and selecting computer management. It is also under computer management. So let's go with computer management, and here, you have something called event viewer. Click on the arrow next to it to expand it, and under Windows logs, you have something called security, and this is a security log where all accesses should be logged. So let me click on it so here you have all the accesses that were done on the folder. And the files in the folder. So let's see them. Let me double click the first one you see here under subject, you have first account name. So this is a account that accessed the object. If you're here, scroll down a little bit. You see that the folder test was accessed, and what was the access type, keep on scrolling. And you see that the access was reading the attributes. So here you can click on the next arrow. So here, this is important. This is an event saying that data was written or a file was added. You can click on details to see further information here. So we have everything here. So this is here the new file that we created the new rich text document. And this is also important here. You see that we found the event, that is delete event. And also if you click on details, you see what was deleted. So this is a text document was deleted. And by whom it was deleted also, and this is the most important thing. So you can see here who deleted the file. If you scroll up, it is this user and you have the time. And you have the file, and you have all the information you need. But as you noticed, it writes lots of events. So now you have to make a compromise between selecting one user, only to audit or a small group of users or everyone. So if you suspect that your system is under attack, it's always better to audit the everyone group for a short period of time. And you can always increase the size of the security log in event viewer. So that older entries don't get overwritten, if you don't see them for a couple of days. But I don't advise you to keep the everyone group auditing all the time. So let me show you a little bit how to increase, the volume of the security log. So here let me click on close, right. Click the security log here and then, click on properties. And then under properties here, you can see you have the maximum log size. So here it's in kilobytes. So this is 20 mega. So if you want to put it, 200 max. So just put it here 200 megs. So here you have also the option to overwrite events as needed, meaning if you reach the maximum volume, it will start overwriting other events. And also you can archive the log when full or do not overwrite events but clear load manually. But this will block your system from working, if the event log reaches the maximum value, and you don't clear it. So I advise you to keep it overwrite events as needed. And keep it like this, and let's click ok here. So it's only telling me that it will set the nearest multiple of 64k. So I'm gonna click on ok. So on top of accessing each event, and then scrolling to see the next one, you can also either find an event, or filter the event. So let me show you both very quickly. So if you right click on security here, and then select filter current log and herem you have a bunch of options that you can choose to find the information you want, And the second method is to right click security, and then click on find. And here also you can put a string and try to find it in the log. So that was it. I hope you enjoyed this video, and found it useful if you did. Please share it. Subscribe to my channel, and give this video a thumbs up. Until next time, thank you for watching.