How to track when someone accesses a folder on your computer / Windows XP

There is a small feature built into Windows that allows you to track when someone views, edits, or deletes something in a specified folder. So, if there is a folder or file that you want to know who is accessing, this is the integrated method without having to use third-party software.

This feature is actually part of a Windows security feature called Group Policy, is used by most IT Professionals who manage computers in corporate network through servers, however, it can also be used locally on PC without any server. The only downside to using Group Policy is that it’s not available in lower versions of Windows. For Windows 7, you need Windows 7 Professional or later. For Windows 8, you need Pro or Enterprise.

The term Group Policy basically refers to a set of registry settings that can be controlled through a graphical user interface. You turn various settings on or off, and these tweaks are then updated in the Windows registry.

In Windows XP, to go to the policy editor, click Start And after that Run. In the text box, typegpedit.mscNo quotes as shown below:

In Windows 7, you just click the Start button and type gpedit.msc in the search box at the bottom of the Start Menu. In Windows 8, just go to the Start Screen and start typing, or move your mouse pointer to the top or bottom right corner of the screen to open it. Charms bar and click Search. Then just type gpedit. You should now see something similar to the image below:

There are two main types of policies: User and Computer. As you might have guessed, the user policy that controls the settings for each user during a computer installation will be a system-wide setting and will affect all users. In our case, we’ll want our settings to be available to all users, so we’ll expand computer configuration part.

Continue to expand to Install Windows -> Security Settings -> Local Policy -> Audit Policy. I won’t elaborate much on the other settings here as this mainly focuses on checking out a directory. You should now see a set of policies and their current settings on the right hand side. The audit policy is what controls whether the operating system is configured and ready to track changes.

Now check the settings for Audit object access by double clicking on it and selecting both Success and Failure. Click OK and now we’re done with the first part telling Windows we want it ready to track changes. Now the next step is to tell it EXACTLY what we want to track. You can close out of the Group Policy panel now.

Now navigate to the folder using Windows Explorer that you want to monitor. In Explorer, right click on the folder and click Nature. Click Security card and you see something similar to this:

Now click Advanced and click the button Audit navigation. This is where we actually configure what we want to monitor for this directory.

Go ahead and click Add knot. A dialog box will appear asking you to select Users or Groups. In the box, enter the worduserTilt and click Name check. The box will automatically update with the name of the user group local to your computer in the form COMPUTER User.

Click OK and now you will get another dialog calledAudit entries for XSorrow. This is the real meat of what we’ve been wanting to do. This is where you will choose what you want to see for this folder. You can individually select each type of activity you want to track, such as deleting or creating a new file/folder, etc. To make things easier, I recommend selecting Full Permissions, which will automatically select all Other options below. Do this for Success and Failure. This way, whatever is done to that directory or the files in it, you will have a log.

Now click OK and click OK again and OK one more time to exit the multi-set dialog box. And now you have successfully configured audit on a directory! So you may ask, how do you view events?

To view events you need to go to Dashboard and click on Administration tools. Then open Event Viewer. Click Protect and you will see a large list of events on the right hand side:

If you go ahead and create a file or just open the folder and click the Refresh button in the Events Viewer (the one with the two green arrows) you’ll see a bunch of events in the category File system. They involve any delete, create, read, write operations on the directories/files you are auditing. In Windows 7, everything now shows up in the File System task category, so to see what happened, you’ll have to click on each item and scroll through it.

To easily browse through a wide variety of events, you can set filters and view only the important ones. Click View menu at the top and click Filter. If there is no option for Filter then right click on Security Log on the left page and select Filter Current Log. In the Event ID box, enter the number 4656. This is an event related to a specific user performing File system action and will give you relevant information without having to go through thousands of entries.

If you want more information about an event, just double-click it to view it.

Here is the information from the above screen:

A handle for an object has been requested.

Subjects:
Security ID: Aseem-Lenovo Aseem
Account Name: Aseem
Account domain: Aseem-Lenovo
Login ID: 0x175a1

Object:
Object Server: Security
Object Type: File
Object name: C:UsersAseemDesktopTufuNew Text Document.txt
Process ID: 0x16a0

Process information:
Process ID: 0x820
Process Name: C:Windowsexplorer.exe

Access request information:
Transaction ID: 00000000-0000-0000-0000-000000000000
Access: DELETE
Synchronize
ReadAttribute

In the example above, the file being processed was New Text Document.txt in the Tufu folder on my desktop and the accesses I requested were DELETED followed by SYNCHRONIZE. What I did here is delete the files. Here is another example:

Object Type: File
Object name: C:UsersAseemDesktopTufuAddress Label.docx
Process ID: 0x178

Process information:
Process ID: 0x1008
Process name: C:Program Files (x86)Microsoft OfficeOffice14WINWORD.EXE

Access request information:
Transaction ID: 00000000-0000-0000-0000-000000000000
Access: READ_CONTROL
Synchronize
ReadData (or ListDirectory)
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
ReadEA
WriteEA
ReadAttribute
WriteAttribute

Access reason: READ_CONTROL: Granted by ownership
SUMMARY: Issued by D: (A; ID; FA ;;; S-1-5-21-597862309-2018615179-2090787082-1000)

As you read through this you can see that I have accessed Labels.docx Addresses with the WINWORD.EXE program and that my accesses include READ_CONTROL and my access reason is also READ_CONTROL. Usually you’ll see more hits, but focus only on the first because that’s usually the main type of visit. In this case, I just opened the file with Word. It takes a bit of experimentation and reading through the facts to understand what’s going on, but once you’ve got it down, it’s a very reliable system. I recommend creating a test folder with the files and performing different actions to see what shows up in the Event Viewer.

It’s quite a lot! A fast and free way to track directory access or changes!