1

Enable File Access Auditing in Windows

In this article I am going to explain about File System Access Auditing and how to enable
File System Access Auditing in Windows environment. Here, in some places we will refer File
Access Auditing as File Server Access Auditing, File System Change Auditing and File
Share Change Auditing, all the terms are equally interchangeable.
Summary:
1. File System/File Server Access Auditing Introduction
2. File System Access Audit Event IDs
3. Steps to Enable File Access Auditing Event IDs via new Group Policy
4. Enable File Access Auditing to Specific File Servers
5. Steps to Enable File Access Security Audit
6. Steps to Enable File Access Auditing using Auditpol command line tool

File Access/File Share Access Auditing Introduction:
In an every Organisation, sharing files and documents to their users through Network
Environment is inevitable. For the security purpose we should give permission to access some
kind of files and folders only to the specific set of users. However we can't give perfect
permission to perfect users, in that case auditing file or folder access is inevitable for any
organisation. the possible accesses are File Create/Add, File Delete, File Open, File Copy,
File Rename, File Move, File Access, and File Permission change, and File Access
failures. We can easily track these accesses by File Share Audit Event IDs which are controlled
by the Audit Policy and File Security Audit. So to get these event logs you need to Enable
Object Access Audit Policy and File Access Security Audit.

File Access Audit Event IDs:
File Access Auditing is controlled by the following event IDs

4656: This is the first event logged when an user attempts to access the file, this event gives
information about what type of access was requested by the user and it will not give info about
what type access actually made by user (which is given by the Event ID 4663), 4656 is
controlled by the audit policy subcategory settings Handle Manipulation and File System.

4663: This event gives the info of what type actual operation is done by user on a file.

4658: This event get logged when user close the file, it helps to determine how long the file
was open correlating this Event ID with earlier Event ID 4656 with the same handle ID.

4660: This event logged when an user delete the file or folder

4990: This event logged when an user opens a file .

4670: This event logged when user changes the permission of the file (security control list).
The event contains the information, who changed the permissions, old and new permissions.

5145: This is a Advanced Detailed File Share event which is available only from Windows
7/ Windows Server 2008 R2 and later versions, 5145 is equivalent event id of 4656, it
contains extra information like user's client machine (source machine) address and share path
(network path) of accessed file.

Steps to Enable File System Change Audit Event IDs via new Group Policy:
Follow the below steps to configure File Share Access Auditing Events:

Note: You should also configure File Access Audit Security settings on the Folder which you are
2

going to audit accesses.

1. Open Group Policy Management Console by running the command gpmc.msc.

2. Expand the domain node, select and right-click on the OU which contains all the file servers
(here I have selected OU File Servers), then click Create a GPO in this domain, and link it
here...



3. Type the new GPO name and click OK (Ex: File System Audit Policy).


4. Right-click on the newly created GPO, then click Edit.


5. Expand the Computer Configuration, and go to the node Audit Policy(Computer
Configuration->Polices->Windows Settings->Security Settings->Local Polices->Audit Policy).

6. In the left side pane, select Object Access, then double-click on this Setting.
3



7. In the opened window, check the values Success and Failure, the click Apply.


8. In Windows Server R2 and later versions, You can also configure this settings through
Advanced Audit Policy Configuration. go to the node Advanced Audit Policy Configuration
(Computer Configuration->Polices->Windows Settings->Security Settings->Advanced Audit
Policy Configuration)

9. Expand this node, go to Object Access (Audit Polices->Object Access), then change the
settings
Audit Detailed File Share, Audit File System and Audit Handle Manipulation.

Note: The Audit Handle Manipulation setting controls the event ID 4656, it may be the
noisy event for you. so if you don't want event 4656, leave the setting Audit Handle
Manipulation as Not Configured.
4



10. Refresh or update the gpo by running the command GPUpdate/Force to apply this
setting in the all the File Server which are inside OU File Servers.


Apply File Access Audit Policy to Specific File Servers:
By the above steps, we have configured file access audit events for all the File Servers which
are under OU File Servers, but in some cases, we may want to configure policy only for set of
file servers. You can achieve this by Security Filtering of Group Policy.

1. Go to the tab scope, in Security Filtering section, select the entry Authenticated Users,
and click Remove.


2. Click the Add button, click Object Types.. then check Computers, and select the
5

computers (File Server Computer) which you want apply file system audit policy settings, and
click OK to apply.


4. Refresh or update the gpo by running the command GPUpdate/Force to apply this setting
in the all the selected File Servers.

Steps to Enable File Access Security Audit:
1. Right-click on the Folder which you want to configure audit events, and click Properties.


2. Select Security tab, and click Advanced button.


3. Navigate to the tab Audit, and click Add button.
6



4. Select the account Everyone, and check Successful and Failed Audit options which are you
want to audit, click the button OK, and click Apply.



Steps to Enable File Access Auditing using Auditpol command line tool:
Auditpol.exe is the command line utility tool to change Audit Security settings as category
and sub-category level. It is available by default Windows 2008 R2 and later
versions/Windows 7 and later versions. By using Auditpol, we can get/set Audit Security
settings per user level and computer level.

Note: You should run Auditpol command with elevated privilege (Run As Administrator);

You can enable file access audit success events (Event ID 5145, 4663,4660,4656,4658) by
using following commands
Auditpol /set /subcategory:"Detailed File Share" /success:enable
Auditpol /set /subcategory:"File System" /success:enable
7

You can enable file access audit failure events (Event ID 5145, 4663,4660,4656,4658) by
using following commands
Auditpol /set /subcategory:"Detailed File Share" /failure:enable
Auditpol /set /subcategory:"File System" /failure:enable
Note: to get event id 4656 you can also enable Handle Manipulation setting
Auditpol /set /subcategory:"Handle Manipulation" /success:enable
Note : This article is applies to Windows Server 2003, Windows Server 2008,Windows Server
2008 R2, Windows Server 2012, Windows 7 and Windows 8.

Thanks,
Morgan
Software Developer