Search This Blog

Wednesday, July 24, 2019

Recently I have ran across random file deletions and on terminal services on Windows 2012 R2+ servers. Typically this is automated A/V programs, pre-crypto programs being installed and blocked and even end users just hacking around. This is a great procedure to setup to track and be proactive on file manipulation on Terminal Server management for Windows Servers

File Access Auditing Event IDs

Once you configured above two settings, now you can see the actual events, to view the file access and file change events, follow the below steps.
1. Open the Run window, type the command eventvwr.msc, and click OK.

How to Track File Access, Modify and Delete Actions in Windows Folder
2. You can see the Event Viewer Management Console, expand the tree node Windows Logs and select Security.

Monitor File Access, File Modify and File Delete
3. Now, you can see lot of events in right-hand side window, but to track file access, we need to check only two event ids, 4656 and 4663. To filter only these two events, right-click on the Security node and click Filter Current Log.
4. Type the event ids 4656 and 4663 as comma separated values and click.

Monitor who accessed a file, who modified a file and who deleted a file
5. Now, result window lists only file access events, you can double-click on any event and check what type action made on the particular file.

Monitor who accessed a file, who modified a file and who deleted a file
4656: This is the first event logged when an user attempts to access the file, this event gives information about what type of access was requested by the user and it will not give info about what type access actually made by user (which is given by the Event ID 4663).
4663: This event gives the info of what type actual operation is done by user on a file. it tells whether the file was created, modified, deleted, or it simply accessed,
4670: This event logged when user changes the permission of the file (security control list).  The event contains the information, who changed the permissions, old and new permissions.
Event 4663 - Delete File Event Source:

File Access Audit Event - 4663

1 comment:

  1. Rarest Vegas casino - DrmCD
    The Rarest Vegas 포항 출장안마 casino. 김제 출장안마 Casino Name: Las Vegas Casino, Las Vegas, Nevada. Casino type: 과천 출장안마 Mobile, Tablet, 용인 출장마사지 Mobile. Online 경상남도 출장샵 Since: 2013.

    ReplyDelete