Windows Audit: no security filesystem audit event for folder creation when it is created from command line RRS feed

  • Question

  • I am using windows native audit on windows 10 and windows server to detect file/folder creation, modify, rename, delete, etc and the windows audit is not something reliable although i setup everyone and create folders audit permissions it doesnt report anything. How can i detect a folder is created from windows audit?

    1. There is not any event in security events when a folder is created from powershell/cmd. ( mkdir folder )

    2. When the folder is created from explorer.exe there is an event 4663 with accessmask AppendData (or AddSubdirectory or CreatePipeInstance) of the parent folder but doesnt tell you what is the folder created.

    How is it possible windows audit cant detect these events even if i have setup folder auditing to everyone and to all permissions (create folders, etc), what is the right way to audit folder creation?

    Friday, June 19, 2020 4:50 PM

All replies