none
Get username that deletes a file RRS feed

  • Question

  • Hi,

    I've followed some examples about monitoring file changes using powershell.

    I want to monitor a folder where lots of users has modify access. Some times files are deleted that should not be deleted, so i wanted to monitor when files are deleted. The script then updates a .txt log file and sends a mail to the admins of the shared folder. I don't want mails or log entrys when a temporary office file is deleted, so i've tried to filter it with IF/ELSE. I could not get the $watcher.filter to do what i wanted, but that might be cause i'm a powershell rookie.

    Now this all works very fine and all, but what would top things of was i there is a way to get the username of the user causing the filesystem change.

    Is that possible?


    Tuesday, September 18, 2012 10:59 AM

Answers

  • Hi,

    I've followed some examples about monitoring file changes using powershell.

    I want to monitor a folder where lots of users has modify access. Some times files are deleted that should not be deleted, so i wanted to monitor when files are deleted. The script then updates a .txt log file and sends a mail to the admins of the shared folder. I don't want mails or log entrys when a temporary office file is deleted, so i've tried to filter it with IF/ELSE. I could not get the $watcher.filter to do what i wanted, but that might be cause i'm a powershell rookie.

    Now this all works very fine and all, but what would top things of was i there is a way to get the username of the user causing the filesystem change.

    Is that possible?


    You should be using fie auditing.  This wil capture all deletions only to teh eventlog along with user information.  It is foolish to try and do it with a script.

    OPen the security wizard for teh folder in question and select advanced and click th eaudit tab.  FOllow the instructions.

    You can then use a script to extract a report from the eventlog with teh required information.  In Windows Vista and later you can have the event emailed to you when it happens by just attaching a task to the event ID.


    ¯\_(ツ)_/¯

    • Proposed as answer by Bigteddy Tuesday, September 18, 2012 12:59 PM
    • Marked as answer by IamMred Thursday, September 20, 2012 10:36 PM
    Tuesday, September 18, 2012 12:12 PM

All replies

  • Hi,

    I've followed some examples about monitoring file changes using powershell.

    I want to monitor a folder where lots of users has modify access. Some times files are deleted that should not be deleted, so i wanted to monitor when files are deleted. The script then updates a .txt log file and sends a mail to the admins of the shared folder. I don't want mails or log entrys when a temporary office file is deleted, so i've tried to filter it with IF/ELSE. I could not get the $watcher.filter to do what i wanted, but that might be cause i'm a powershell rookie.

    Now this all works very fine and all, but what would top things of was i there is a way to get the username of the user causing the filesystem change.

    Is that possible?


    You should be using fie auditing.  This wil capture all deletions only to teh eventlog along with user information.  It is foolish to try and do it with a script.

    OPen the security wizard for teh folder in question and select advanced and click th eaudit tab.  FOllow the instructions.

    You can then use a script to extract a report from the eventlog with teh required information.  In Windows Vista and later you can have the event emailed to you when it happens by just attaching a task to the event ID.


    ¯\_(ツ)_/¯

    • Proposed as answer by Bigteddy Tuesday, September 18, 2012 12:59 PM
    • Marked as answer by IamMred Thursday, September 20, 2012 10:36 PM
    Tuesday, September 18, 2012 12:12 PM
  • So it's a downright foolish idea? Good lord, i thought it was awesome, but it if can't be done then it... can't be done.

    I've already configured auditing, and expanded the size of event logs. Sometimes we need to go quite a bit back in time.

    Anyway, as i think i already stated above, i'm not really interested in receiving a mail when ever a ~$*.* file is deleted or a *.tmp file is deleted. So using even event log tasks is pretty much out of the question.

    I have been wondering if i should just us get-eventlog and filter the results, but is was just wondering if there where and easier way and it could be done by watching and WMI event or something clever.

    Tuesday, September 18, 2012 1:44 PM
  • If you've got specific files that you want to audit for deletion, set the SACL to log just deletes, on just those files.


    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

    Tuesday, September 18, 2012 1:57 PM
    Moderator
  • So it's a downright foolish idea? Good lord, i thought it was awesome, but it if can't be done then it... can't be done.

    I've already configured auditing, and expanded the size of event logs. Sometimes we need to go quite a bit back in time.

    Anyway, as i think i already stated above, i'm not really interested in receiving a mail when ever a ~$*.* file is deleted or a *.tmp file is deleted. So using even event log tasks is pretty much out of the question.

    I have been wondering if i should just us get-eventlog and filter the results, but is was just wondering if there where and easier way and it could be done by watching and WMI event or something clever.

    YOu don't have to get an email.  THe eventlog can run a script and log the event ot any other thing.  The easiest thisn is to just write a script to extract teh events that are logged and list the information.

    DO NOT set lauditing on for more than  asmall set of folders with minimal activity and audit only the events that you actually want to record such as file deletions.

    Microsoft Office temp  files are automatically deleted by the office programs and are locked by the programs when they are running.  You should not muck with these files.  Monitoring them will tell you nothing of interest othr than htey are created aa deleted when documents are opened and closed.  YOu can control the temp file allocation by some settings inside the office programs.

    Get-Eventlog is the easiest way to acquire this information.  You shouldn't even need a script or, at least no more than one line of PowerSHell code.  Just stick it in a batch file and go.


    ¯\_(ツ)_/¯

    Tuesday, September 18, 2012 2:05 PM