Audit File & Folder Access in Windows 11 & 10

Rollback to version 1

0:00 - 0:02

in this video i want to show you how to
0:02 - 0:04

find out who accessed your files and
0:04 - 0:05

folders
0:05 - 0:07

or even try to access your files and
0:07 - 0:09

folders in windows 10
0:09 - 0:12

by enabling object auditing on your
0:12 - 0:16

files and folders
0:16 - 0:18

before we begin please note that this
0:18 - 0:20

applies only to windows 10
0:20 - 0:23

pro enterprise and education
0:23 - 0:27

and the file system should be ntfs
0:27 - 0:29

so if you have windows 10 home it
0:29 - 0:31

doesn't work on windows 10 home
0:31 - 0:34

now that being said and because what i'm
0:34 - 0:36

going to show you uses group policy
0:36 - 0:38

management or security policy management
0:38 - 0:40

which is a subset of group policy
0:40 - 0:42

management there are out there some
0:42 - 0:44

batch files and some scripts
0:44 - 0:47

that can enable this on windows 10 home
0:47 - 0:49

but this is not officially supported by
0:49 - 0:50

microsoft
0:50 - 0:52

so here i'm gonna show you only the
0:52 - 0:53

supported method
0:53 - 0:55

there are three easy steps to achieve
0:55 - 0:56

this the first step
0:56 - 0:59

is to enable object access auditing on
0:59 - 1:01

your windows 10 pc
1:01 - 1:03

the second step is to configure auditing
1:03 - 1:05

on the selected files and folders
1:05 - 1:08

and the third step is simply viewing the
1:08 - 1:09

audit log
1:09 - 1:11

so let's start with step 1 which is
1:11 - 1:14

enabling object access auditing in
1:14 - 1:15

windows 10
1:15 - 1:17

so on your windows 10 pc start group
1:17 - 1:18

policy editor
1:18 - 1:21

so click in your search box and type
1:21 - 1:22

group
1:22 - 1:27

space poll and here you see group policy
1:27 - 1:29

alternatively you can start only
1:29 - 1:30

security policy which leads
1:30 - 1:32

only to the security settings of the
1:32 - 1:34

computer but here i'm showing you group
1:34 - 1:35

policy
1:35 - 1:37

so let me enlarge this a little bit so
1:37 - 1:39

that you can see
1:39 - 1:42

and here under group policy you see that
1:42 - 1:44

you have local computer policy which is
1:44 - 1:45

your computer
1:45 - 1:47

and you have two branches computer
1:47 - 1:49

configuration and user configuration
1:49 - 1:51

the one that is of interest to us is
1:51 - 1:53

computer configuration
1:53 - 1:55

and then under computer configuration
1:55 - 1:56

you have windows settings
1:56 - 1:59

click on it to expand it and then you
1:59 - 2:01

have security settings
2:01 - 2:04

also click on it to expand it and you
2:04 - 2:06

have under security settings
2:06 - 2:08

something called advanced audit policy
2:08 - 2:09

configuration
2:09 - 2:13

so here also click on the small arrow
2:13 - 2:16

next to it just to expand it
2:16 - 2:19

and then click on system audit policies
2:19 - 2:23

and you have a bunch of things here
2:23 - 2:25

the one that is of interest to us is
2:25 - 2:26

object
2:26 - 2:31

access so double click object access
2:32 - 2:34

and under object access we have to
2:34 - 2:35

enable audit
2:35 - 2:38

file system only so double click on it
2:38 - 2:40

once again
2:40 - 2:42

and here you see click on configure the
2:42 - 2:45

following audit events
2:45 - 2:48

and then select success and failure
2:48 - 2:52

success means that if someone succeeds
2:52 - 2:54

in accessing the file that or the folder
2:54 - 2:56

that you have audited
2:56 - 2:59

it will show you and if someone tried to
2:59 - 3:01

access but couldn't do it
3:01 - 3:04

it will also show you this is a failure
3:04 - 3:06

so click ok here
3:06 - 3:08

and with the group policy we have
3:08 - 3:10

finished so this was the first part
3:10 - 3:13

the second part is to apply
3:13 - 3:16

the security policy that we just enabled
3:16 - 3:18

to a certain file or folder
3:18 - 3:22

so here i'm gonna open documents
3:22 - 3:24

and let's say under documents i have
3:24 - 3:26

folder called personal
3:26 - 3:28

so let's say we have these under
3:28 - 3:29

personal
3:29 - 3:31

and i want to audit all accesses to
3:31 - 3:32

personal
3:32 - 3:36

so right click on it click properties
3:36 - 3:40

and then click security
3:40 - 3:43

under security click advanced
3:43 - 3:47

under advanced click auditing
3:47 - 3:50

click continue and then here you have to
3:50 - 3:51

select
3:51 - 3:54

the users you want to audit so
3:54 - 3:58

click on add
3:58 - 4:01

and then click on select principle and
4:01 - 4:03

if you have a user in mind that you want
4:03 - 4:03

to audit
4:03 - 4:06

you can select it here so let me click
4:06 - 4:07

advanced
4:07 - 4:10

and find now so you can select either a
4:10 - 4:11

user
4:11 - 4:14

or you can select a group so we have all
4:14 - 4:15

these groups here
4:15 - 4:18

and all the users let's say we want to
4:18 - 4:19

audit everyone
4:19 - 4:21

so if we want to audit everyone we have
4:21 - 4:23

to select
4:23 - 4:26

the built-in group everyone and then
4:26 - 4:27

click ok
4:27 - 4:30

and then click ok again and then under
4:30 - 4:31

type you notice
4:31 - 4:34

that success was selected by default so
4:34 - 4:34

click
4:34 - 4:37

the drop down list and you see you have
4:37 - 4:37

all
4:37 - 4:40

fail and success so select all
4:40 - 4:43

so this way you will audit the succeeded
4:43 - 4:44

attempts
4:44 - 4:47

on your files and folders and also the
4:47 - 4:48

failed attempts in case
4:48 - 4:51

someone who doesn't have access to this
4:51 - 4:53

folder try to access it or to this file
4:53 - 4:54

of course
4:54 - 4:56

and then afterwards here click on full
4:56 - 4:58

control
4:58 - 5:01

and then click ok
5:01 - 5:04

now if you select everyone please note
5:04 - 5:04

that
5:04 - 5:07

also your user access will be audited so
5:07 - 5:09

it's better to select
5:09 - 5:11

a group that doesn't contain your user
5:11 - 5:12

or select
5:12 - 5:14

only one user but here for the purpose
5:14 - 5:17

of this video i selected everyone
5:17 - 5:20

so here click ok and then
5:20 - 5:23

ok again and now personal
5:23 - 5:26

is being audited and everything under
5:26 - 5:28

personal also is being audited
5:28 - 5:30

so let's try to access something under
5:30 - 5:31

personal
5:31 - 5:34

so i just entered into personal so this
5:34 - 5:35

should be
5:35 - 5:37

logged into the event log so i'm gonna
5:37 - 5:39

show you also how to see the event
5:39 - 5:40

viewer log
5:40 - 5:43

and let me create a new document so let
5:43 - 5:45

me create a bitmap image
5:45 - 5:48

and let me delete this new text document
5:48 - 5:52

let me go into test and let me also
5:52 - 5:53

create
5:53 - 5:57

here a rich text document
5:57 - 6:00

and let's see now if all these actions
6:00 - 6:01

were logged
6:01 - 6:03

so to see the actions you need to go
6:03 - 6:04

into something called
6:04 - 6:07

event viewer so event viewer you have
6:07 - 6:08

many ways to
6:08 - 6:10

launch it so either in the search box
6:10 - 6:11

you can type event
6:11 - 6:14

and it will show here you can also right
6:14 - 6:15

click the windows logo
6:15 - 6:18

and here it is event viewer you can
6:18 - 6:20

start computer management
6:20 - 6:23

by typing computer
6:23 - 6:27

management into the search box
6:27 - 6:29

and selecting computer management it is
6:29 - 6:31

also under computer management so let's
6:31 - 6:35

go with computer management
6:35 - 6:37

and here you have something called event
6:37 - 6:38

viewer
6:38 - 6:40

click on the arrow next to it to expand
6:40 - 6:41

it
6:41 - 6:44

and under windows logs you have
6:44 - 6:46

something called security
6:46 - 6:48

and this is a security log where all
6:48 - 6:50

accesses should be logged
6:50 - 6:52

so let me click on it so here you have
6:52 - 6:54

all the accesses that were done on the
6:54 - 6:56

folder and the files in the folder
6:56 - 6:58

so let's see them let me double click
6:58 - 7:00

the first one
7:00 - 7:02

you see here under subject you have
7:02 - 7:04

first account name
7:04 - 7:07

so this is a account that accessed the
7:07 - 7:08

object
7:08 - 7:11

if you here scroll down a little bit you
7:11 - 7:12

see that
7:12 - 7:14

the folder test was accessed and what
7:14 - 7:18

was the access type keep on scrolling
7:18 - 7:20

and you see that the access was reading
7:20 - 7:22

the attributes so here you can click on
7:22 - 7:24

the next arrow
7:24 - 7:26

so here this is important this is an
7:26 - 7:27

event saying that
7:27 - 7:30

data was written or a file was added you
7:30 - 7:32

can click on details to see further
7:32 - 7:34

information here
7:34 - 7:37

so we have everything here so this is
7:37 - 7:39

here the new file that we created
7:39 - 7:43

the new rich text document
7:43 - 7:45

and this is also important here you see
7:45 - 7:47

that we found the event
7:47 - 7:49

that is delete event and also if you
7:49 - 7:51

click on details you see what was
7:51 - 7:52

deleted
7:52 - 7:55

so this is a text document was deleted
7:55 - 7:57

and by whom it was deleted also and this
7:57 - 7:59

is the most important thing
7:59 - 8:02

so you can see here who deleted the file
8:02 - 8:06

if you scroll up it is this user
8:06 - 8:08

and you have the time and you have the
8:08 - 8:10

file and you have all the information
8:10 - 8:11

you need
8:11 - 8:14

but as you noticed it writes lots of
8:14 - 8:14

events
8:14 - 8:16

so now you have to make a compromise
8:16 - 8:18

between selecting
8:18 - 8:21

one user only to audit or a small group
8:21 - 8:22

of users
8:22 - 8:24

or everyone so if you suspect that your
8:24 - 8:26

system is under attack
8:26 - 8:29

it's always better to audit the everyone
8:29 - 8:30

group
8:30 - 8:32

for a short period of time and you can
8:32 - 8:34

always increase the size of the security
8:34 - 8:35

log in event viewer
8:35 - 8:39

so that older entries don't get
8:39 - 8:41

overwritten if you don't see them for a
8:41 - 8:42

couple of days
8:42 - 8:44

but i don't advise you to keep the
8:44 - 8:45

everyone group
8:45 - 8:48

auditing all the time so let me show you
8:48 - 8:49

a little bit how to increase
8:49 - 8:52

the volume of the security log so here
8:52 - 8:53

let me click on close
8:53 - 8:56

right click the security log here and
8:56 - 8:57

then
8:57 - 9:00

click on properties
9:00 - 9:02

and then under properties here you can
9:02 - 9:04

see you have the maximum log size
9:04 - 9:07

so here it's in kilobytes so this is 20
9:07 - 9:10

meg so if you want to put it
9:10 - 9:14

200 max so just put it here
9:14 - 9:16

200 megs so here you have also the
9:16 - 9:18

option to overwrite events as needed
9:18 - 9:22

meaning if you reach the maximum volume
9:22 - 9:22

it will
9:22 - 9:26

start overwriting other events and also
9:26 - 9:28

you can archive the log when full
9:28 - 9:30

or do not overwrite events but clear
9:30 - 9:32

load manually but this will block your
9:32 - 9:33

system from working
9:33 - 9:35

if the event log reaches the maximum
9:35 - 9:38

value and you don't clear it
9:38 - 9:40

so i advise you to keep it overwrite
9:40 - 9:44

events as needed and keep it like this
9:44 - 9:47

and let's click ok here so it's only
9:47 - 9:48

telling me that
9:48 - 9:51

it will set the nearest multiple of 64k
9:51 - 9:54

so i'm gonna click on ok so on top of
9:54 - 9:56

accessing each event
9:56 - 9:58

and then scrolling to see the next one
9:58 - 9:59

you can also
9:59 - 10:02

either find an event or filter the event
10:02 - 10:03

so let me show you both
10:03 - 10:05

very quickly so if you right click on
10:05 - 10:06

security here
10:06 - 10:09

and then select filter current log and
10:09 - 10:11

here you have a bunch of options that
10:11 - 10:13

you can choose to find the information
10:13 - 10:14

you want
10:14 - 10:17

and the second method is to right click
10:17 - 10:19

security and then click on find
10:19 - 10:22

and here also you can put a string and
10:22 - 10:23

try to find it
10:23 - 10:26

in the log so that was it i hope you
10:26 - 10:28

enjoyed this video and found it useful
10:28 - 10:28

if you did
10:28 - 10:30

please share it subscribe to my channel
10:30 - 10:32

and give this video a thumbs up
10:32 - 10:36

until next time thank you for watching

Title:: Audit File & Folder Access in Windows 11 & 10
Description:: more » « less
Video Language:: English
Duration:: 10:35

	OEVIDEOS edited English subtitles for Audit File & Folder Access in Windows 11 & 10
	OEVIDEOS edited English subtitles for Audit File & Folder Access in Windows 11 & 10

English subtitles

Revisions Compare revisions

Revision 2 Edited

OEVIDEOS
Revision 1 Uploaded

OEVIDEOS

	Revision Number	Author	Created
	2	OEVIDEOS
	1	OEVIDEOS

Audit File & Folder Access in Windows 11 & 10

Revisions Compare revisions

Our website uses cookies

Operating cookies (Required)