Thread: Get username who changed a file/directory which is configured to notify

  1. #1
    Registered User
    Join Date
    Feb 2011
    Posts
    4

    Question Get username who changed a file/directory which is configured to notify

    Hi,

    As far as I know no operating system intimating or storing or holding user info who changed a file/directory. But, by writing file system filter driver we can fetch user name who changed a file/directory. This is kernel mode programming. I can't do that (management will feel risky). I want to that from user mode. I need some windows API to get user details when someone changed file/directory. I looked many API none I found useful.
    If someone have idea about this please let me know. I hope some undocumented windows APIs can do this.

  2. #2
    Banned
    Join Date
    Aug 2010
    Location
    Ontario Canada
    Posts
    9,547
    This would have to come from the ACLs for the particular directory/file...

    On a free standing PC it's pretty easy... Who was logged in at the time the file was changed?

    On a network or domain it's a little bit of detective work... since you now have to track down which PC changed the file (from logs) and who was logged on at the time.

  3. #3
    Registered User
    Join Date
    Feb 2011
    Posts
    4

    Question

    Thanks CommonTater.

    Quote Originally Posted by CommonTater View Post
    On a free standing PC it's pretty easy... Who was logged in at the time the file was changed?
    Yes. I am currently doing like that. But, that not accurate if two users logged on a system, how do I know which user changed. I will get two user names. So, need something accurate.

    Quote Originally Posted by CommonTater View Post
    On a network or domain it's a little bit of detective work... since you now have to track down which PC changed the file (from logs) and who was logged on at the time.
    Actually by enabling audit log in windows and configuring particular directory/file for audit logs, in event logs I can see user who changed file/directory. But, I can't do that will over fill event logs. Thats not suitable for me. My requirement is need to get user name without changing any security policies/ configuration changes. It is possible to do same way how windows collecting user name when enabled audit policy and configured the directory.

  4. #4
    Banned
    Join Date
    Aug 2010
    Location
    Ontario Canada
    Posts
    9,547
    The only honest answer I can give you is ... Not that I know of.

    Perhaps the others know something I dont' (in fact I'm pretty sure they do)...

Popular pages Recent additions subscribe to a feed

Tags for this Thread