File Access Auditing Event IDs
Once you configured above two settings, now you can see the actual events, to view the file access and file change events, follow the below steps.1. Open the Run window, type the command eventvwr.msc, and click OK.
2. You can see the Event Viewer Management Console, expand the tree node Windows Logs and select Security.
3. Now, you can see lot of events in right-hand side window, but to track file access, we need to check only two event ids, 4656 and 4663. To filter only these two events, right-click on the Security node and click Filter Current Log.
4. Type the event ids 4656 and 4663 as comma separated values and click.
5. Now, result window lists only file access events, you can double-click on any event and check what type action made on the particular file.
4656: This is the first event logged when an user attempts to access the file, this event gives information about what type of access was requested by the user and it will not give info about what type access actually made by user (which is given by the Event ID 4663).
4663: This event gives the info of what type actual operation is done by user on a file. it tells whether the file was created, modified, deleted, or it simply accessed,
4670: This event logged when user changes the permission of the file (security control list). The event contains the information, who changed the permissions, old and new permissions.
Event 4663 - Delete File Event Source:
Rarest Vegas casino - DrmCD
ReplyDeleteThe Rarest Vegas 포항 출장안마 casino. 김제 출장안마 Casino Name: Las Vegas Casino, Las Vegas, Nevada. Casino type: 과천 출장안마 Mobile, Tablet, 용인 출장마사지 Mobile. Online 경상남도 출장샵 Since: 2013.