Advanced FileSystemWatcher with User Info

This blog will point you to a PowerShell script that tracks Filesystem changes by combining the native FileSystemWatcher with File&Folder Auditing.

GitHub: Download : Also contains a Docx file that has detailed instructions on setting this up.

Below is a sample log file generated by the script.

If you have ever dealt with FileSystemWatcher, you might have noticed that it does not track who has made the changes. I was frustrated to learn that a much needed functionality such as tracking the user was left out of that dll. All the blogs advised me to use File and Folder auditing.

If you have ever looked at the Audit logs, you will realize that every change on the file system creates about 25 to 30 entries. Using a script to parse them, while not impossible, is hard to wrap your head around because you have to deal with access masks and Event IDs to determine the change type [e.g. Create, Delete, Rename, Modify]. Even then, it is not straight forward as the same events and masks are generated for different change type. SO you will end up having to look for them occurring in a certain order to determine the change. In my book, that is more complicated than it need to be. All I need is the user who made the change.

So, I combined the power of the 2 and put them together. The FileSystemWatcher would tell me the ChangeType and I would simply read the Audit logs for the user information after ascertaining the correct set of logfiles to read.

The script linked above, will automatically do the following in addition to setting up FileSystemWatcher.

  1. Set the Auditing in secpol.msc
  2. Set auditing for the Folders mentioned in the csv file
  3. Create a scheduled Task that will run under the System user to monitor File System events.

NOTE: While the script is not as fast as the native FSW, owing to the time it takes to read the logs, it is still pretty good. To improve the logread time, I have made use of Get-Winevent along with FilterXML. In my experiments, that seemed to be the fastest.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s