Audit File & Folder Access in Windows 11 & 10

Edit subtitles

0:00 - 0:02

In this video, I want to show you how to
0:02 - 0:04

find out who accessed your files and
0:04 - 0:05

folders,
0:05 - 0:07

or even try to access your files and
0:07 - 0:09

folders in Windows 10
0:09 - 0:12

by enabling object auditing on your
0:12 - 0:16

files and folders.
0:16 - 0:18

Before we begin, please note that this
0:18 - 0:20

applies only to Windows 10
0:20 - 0:23

pro enterprise and education
0:23 - 0:27

and the file system should be NTFs.
0:27 - 0:29

So if you have windows 10 home, it
0:29 - 0:31

doesn't work on Windows 10 home.
0:31 - 0:34

Now, that being said, and because what I'm
0:34 - 0:36

going to show you uses group policy
0:36 - 0:38

management or security policy management,
0:38 - 0:40

which is a subset of group policy
0:40 - 0:42

management. There are out there some
0:42 - 0:44

batch files and some scripts
0:44 - 0:47

that can enable this on Windows 10 home,
0:47 - 0:49

but this is not officially supported by
0:49 - 0:50

Microsoft.
0:50 - 0:52

So here I'm gonna show you only the
0:52 - 0:53

supported method.
0:53 - 0:55

There are three easy steps to achieve
0:55 - 0:56

this the first step
0:56 - 0:59

is to enable object access auditing on
0:59 - 1:01

your windows 10 PC.
1:01 - 1:03

The second step is to configure auditing
1:03 - 1:05

on the selected files and folders.
1:05 - 1:08

And the third step is simply viewing the
1:08 - 1:09

audit log.
1:09 - 1:11

So let's start with step 1, which is
1:11 - 1:14

enabling object access auditing in
1:14 - 1:15

Windows 10.
1:15 - 1:17

So on your Windows 10 PC start group
1:17 - 1:18

policy editor.
1:18 - 1:21

So click in your search box and type
1:21 - 1:22

group
1:22 - 1:27

space poll. And here you see group policy.
1:27 - 1:29

Alternatively, you can start only
1:29 - 1:30

security policy which leads
1:30 - 1:32

only to the security settings of the
1:32 - 1:34

computer. But here I'm showing you group
1:34 - 1:35

policy.
1:35 - 1:37

So let me enlarge this a little bit so
1:37 - 1:39

that you can see.
1:39 - 1:42

And here under group policy, you see that
1:42 - 1:44

you have local computer policy, which is
1:44 - 1:45

your computer.
1:45 - 1:47

And you have two branches computer
1:47 - 1:49

configuration and user configuration.
1:49 - 1:51

The one that is of interest to us is
1:51 - 1:53

computer configuration.
1:53 - 1:55

And then under computer configuration
1:55 - 1:56

you have Windows settings,
1:56 - 1:59

click on it to expand it, and then you
1:59 - 2:01

have security settings.
2:01 - 2:04

Also click on it to expand it, and you
2:04 - 2:06

have under security settings.
2:06 - 2:08

Something called advanced audit policy
2:08 - 2:09

configuration.
2:09 - 2:13

So here, also click on the small arrow
2:13 - 2:16

next to it, just to expand it.
2:16 - 2:19

And then click on system audit policies,
2:19 - 2:23

and you have a bunch of things here.
2:23 - 2:25

The one that is of interest to us is
2:25 - 2:26

object
2:26 - 2:31

access. So double click object access,
2:32 - 2:34

and under object access, we have to
2:34 - 2:35

enable audit
2:35 - 2:38

file system only. So double click on it.
2:38 - 2:40

Once again,
2:40 - 2:42

and here you see, click on configure the
2:42 - 2:45

following audit events,
2:45 - 2:48

and then select success and failure.
2:48 - 2:52

Success means that if someone succeeds
2:52 - 2:54

in accessing the file that or the folder
2:54 - 2:56

that you have audited,
2:56 - 2:59

it will show you and if someone tried to
2:59 - 3:01

access but couldn't do it.
3:01 - 3:04

It will also show you this is a failure.
3:04 - 3:06

So click ok here,
3:06 - 3:08

and with the group policy, we have
3:08 - 3:10

finished. So this was the first part,
3:10 - 3:13

the second part is to apply.
3:13 - 3:16

The security policy that we just enabled
3:16 - 3:18

to a certain file or folder.
3:18 - 3:22

So here I'm gonna open documents.
3:22 - 3:24

And let's say under documents, I have
3:24 - 3:26

folder called personal.
3:26 - 3:28

So let's say we have these under
3:28 - 3:29

personal,
3:29 - 3:31

and I want to audit all accesses to
3:31 - 3:32

personal.
3:32 - 3:36

So right click on it. Click properties
3:36 - 3:40

and then click security,
3:40 - 3:43

under security, click advanced,
3:43 - 3:47

under advanced, click auditing,
3:47 - 3:50

click continue. And then here you have to
3:50 - 3:51

select
3:51 - 3:54

the users you want to audit. So
3:54 - 3:58

click on add.
3:58 - 4:01

And then click on select principle, and
4:01 - 4:03

if you have a user in mind that you want
4:03 - 4:03

to audit.
4:03 - 4:06

You can select it here. So let me click
4:06 - 4:07

advanced,
4:07 - 4:10

and find now so you can select either a
4:10 - 4:11

user,
4:11 - 4:14

or you can select a group. So we have all
4:14 - 4:15

these groups here.
4:15 - 4:18

And all the users. Let's say we want to
4:18 - 4:19

audit everyone.
4:19 - 4:21

So if we want to audit everyone, we have
4:21 - 4:23

to select
4:23 - 4:26

the built-in group everyone and then
4:26 - 4:27

click ok,
4:27 - 4:30

and then click ok again. And then under
4:30 - 4:31

type, you notice
4:31 - 4:34

that success was selected by default. So
4:34 - 4:34

click
4:34 - 4:37

the drop down list. And you see, you have
4:37 - 4:37

all
4:37 - 4:40

fail and success. So select all.
4:40 - 4:43

So this way, you will audit the succeeded
4:43 - 4:44

attempts
4:44 - 4:47

on your files and folders and also the
4:47 - 4:48

failed attempts in case
4:48 - 4:51

someone who doesn't have access to this
4:51 - 4:53

folder, try to access it or to this file.
4:53 - 4:54

Of course,
4:54 - 4:56

and then afterwards here click on full
4:56 - 4:58

control,
4:58 - 5:01

and then click ok.
5:01 - 5:04

Now, if you select everyone, please note
5:04 - 5:04

that
5:04 - 5:07

also your user access will be audited. So
5:07 - 5:09

it's better to select
5:09 - 5:11

a group that doesn't contain your user,
5:11 - 5:12

or select
5:12 - 5:14

only one user. But here for the purpose
5:14 - 5:17

of this video, I selected everyone.
5:17 - 5:20

So here click ok, and then
5:20 - 5:23

ok again and now personal
5:23 - 5:26

is being audited and everything under
5:26 - 5:28

personal also is being audited.
5:28 - 5:30

So let's try to access something under
5:30 - 5:31

personal.
5:31 - 5:34

So I just entered into personal. So this
5:34 - 5:35

should be
5:35 - 5:37

logged into the event log. So I'm gonna
5:37 - 5:39

show you also how to see the event
5:39 - 5:40

viewer log,
5:40 - 5:43

and let me create a new document. So let
5:43 - 5:45

me create a bitmap image.
5:45 - 5:48

And let me delete this new text document.
5:48 - 5:52

Let me go into test. And let me also
5:52 - 5:53

create
5:53 - 5:57

here a rich text document.
5:57 - 6:00

And let's see now if all these actions
6:00 - 6:01

were logged.
6:01 - 6:03

So to see the actions, you need to go
6:03 - 6:04

into something called
6:04 - 6:07

event viewer. So event viewer, you have
6:07 - 6:08

many ways to
6:08 - 6:10

launch it. So either in the search box,
6:10 - 6:11

you can type event.
6:11 - 6:14

And it will show here you can also right
6:14 - 6:15

click the windows logo,
6:15 - 6:18

and here it is event viewer, you can
6:18 - 6:20

start computer management
6:20 - 6:23

by typing computer
6:23 - 6:27

management into the search box
6:27 - 6:29

and selecting computer management. It is
6:29 - 6:31

also under computer management. So let's
6:31 - 6:35

go with computer management,
6:35 - 6:37

and here, you have something called event
6:37 - 6:38

viewer.
6:38 - 6:40

Click on the arrow next to it to expand
6:40 - 6:41

it,
6:41 - 6:44

and under Windows logs, you have
6:44 - 6:46

something called security,
6:46 - 6:48

and this is a security log where all
6:48 - 6:50

accesses should be logged.
6:50 - 6:52

So let me click on it so here you have
6:52 - 6:54

all the accesses that were done on the
6:54 - 6:56

folder. And the files in the folder.
6:56 - 6:58

So let's see them. Let me double click
6:58 - 7:00

the first one
7:00 - 7:02

you see here under subject, you have
7:02 - 7:04

first account name.
7:04 - 7:07

So this is a account that accessed the
7:07 - 7:08

object.
7:08 - 7:11

If you're here, scroll down a little bit. You
7:11 - 7:12

see that
7:12 - 7:14

the folder test was accessed, and what
7:14 - 7:18

was the access type, keep on scrolling.
7:18 - 7:20

And you see that the access was reading
7:20 - 7:22

the attributes. So here you can click on
7:22 - 7:24

the next arrow.
7:24 - 7:26

So here, this is important. This is an
7:26 - 7:27

event saying that
7:27 - 7:30

data was written or a file was added. You
7:30 - 7:32

can click on details to see further
7:32 - 7:34

information here.
7:34 - 7:37

So we have everything here. So this is
7:37 - 7:39

here the new file that we created
7:39 - 7:43

the new rich text document.
7:43 - 7:45

And this is also important here. You see
7:45 - 7:47

that we found the event,
7:47 - 7:49

that is delete event. And also if you
7:49 - 7:51

click on details, you see what was
7:51 - 7:52

deleted.
7:52 - 7:55

So this is a text document was deleted.
7:55 - 7:57

And by whom it was deleted also, and this
7:57 - 7:59

is the most important thing.
7:59 - 8:02

So you can see here who deleted the file.
8:02 - 8:06

If you scroll up, it is this user
8:06 - 8:08

and you have the time. And you have the
8:08 - 8:10

file, and you have all the information
8:10 - 8:11

you need.
8:11 - 8:14

But as you noticed, it writes lots of
8:14 - 8:14

events.
8:14 - 8:16

So now you have to make a compromise
8:16 - 8:18

between selecting
8:18 - 8:21

one user, only to audit or a small group
8:21 - 8:22

of users
8:22 - 8:24

or everyone. So if you suspect that your
8:24 - 8:26

system is under attack,
8:26 - 8:29

it's always better to audit the everyone
8:29 - 8:30

group
8:30 - 8:32

for a short period of time. And you can
8:32 - 8:34

always increase the size of the security
8:34 - 8:35

log in event viewer.
8:35 - 8:39

So that older entries don't get
8:39 - 8:41

overwritten, if you don't see them for a
8:41 - 8:42

couple of days.
8:42 - 8:44

But I don't advise you to keep the
8:44 - 8:45

everyone group
8:45 - 8:48

auditing all the time. So let me show you
8:48 - 8:49

a little bit how to increase,
8:49 - 8:52

the volume of the security log. So here
8:52 - 8:53

let me click on close,
8:53 - 8:56

right. Click the security log here and
8:56 - 8:57

then,
8:57 - 9:00

click on properties.
9:00 - 9:02

And then under properties here, you can
9:02 - 9:04

see you have the maximum log size.
9:04 - 9:07

So here it's in kilobytes. So this is 20
9:07 - 9:10

mega. So if you want to put it,
9:10 - 9:14

200 max. So just put it here
9:14 - 9:16

200 megs. So here you have also the
9:16 - 9:18

option to overwrite events as needed,
9:18 - 9:22

meaning if you reach the maximum volume,
9:22 - 9:22

it will
9:22 - 9:26

start overwriting other events. And also
9:26 - 9:28

you can archive the log when full
9:28 - 9:30

or do not overwrite events but clear
9:30 - 9:32

load manually. But this will block your
9:32 - 9:33

system from working,
9:33 - 9:35

if the event log reaches the maximum
9:35 - 9:38

value, and you don't clear it.
9:38 - 9:40

So I advise you to keep it overwrite
9:40 - 9:44

events as needed. And keep it like this,
9:44 - 9:47

and let's click ok here. So it's only
9:47 - 9:48

telling me that
9:48 - 9:51

it will set the nearest multiple of 64k.
9:51 - 9:54

So I'm gonna click on ok. So on top of
9:54 - 9:56

accessing each event,
9:56 - 9:58

and then scrolling to see the next one,
9:58 - 9:59

you can also
9:59 - 10:02

either find an event, or filter the event.
10:02 - 10:03

So let me show you both
10:03 - 10:05

very quickly. So if you right click on
10:05 - 10:06

security here,
10:06 - 10:09

and then select filter current log and
10:09 - 10:11

herem you have a bunch of options that
10:11 - 10:13

you can choose to find the information
10:13 - 10:14

you want,
10:14 - 10:17

And the second method is to right click
10:17 - 10:19

security, and then click on find.
10:19 - 10:22

And here also you can put a string and
10:22 - 10:23

try to find it
10:23 - 10:26

in the log. So that was it. I hope you
10:26 - 10:28

enjoyed this video, and found it useful
10:28 - 10:28

if you did.
10:28 - 10:30

Please share it. Subscribe to my channel,
10:30 - 10:32

and give this video a thumbs up.
10:32 - 10:36

Until next time, thank you for watching.

Title:: Audit File & Folder Access in Windows 11 & 10
Description:: more » « less
Video Language:: English
Duration:: 10:35

	OEVIDEOS edited English subtitles for Audit File & Folder Access in Windows 11 & 10
	OEVIDEOS edited English subtitles for Audit File & Folder Access in Windows 11 & 10

English subtitles

Revisions Compare revisions

Revision 2 Edited

OEVIDEOS
Revision 1 Uploaded

OEVIDEOS

	Revision Number	Author	Created
	2	OEVIDEOS
	1	OEVIDEOS

Audit File & Folder Access in Windows 11 & 10

Revisions Compare revisions

Our website uses cookies

Operating cookies (Required)