I know how to audit which user accesses a file. How can I tell which process is modifying files in a directory?
SnapOverflow
I know how to audit which user accesses a file. How can I tell which process is modifying files in a directory?
I'm guessing that you're probably looking for more long-term auditing than using "Process Monitor" or repeatedly running "handle.exe". We'll see if my psychic powers pay off here.
"Object access" auditing is probably what you're looking for. If you're looking to audit access to files being access locally on a computer then you'll be able to see the process name accessing the files. If the files are being accessed remotely, though, you'll only see the name and logon ID of the user accessing the files (and not the name of the process accessing the files).
If the files you're looking to watch are on a server you'll need to modify the local security policy on that server (unless it's a Domain Controller computer, in which case you'll be stuck adding or modifying an existing GPO that alters the security policy for all Domain Controller computers). The setting, in Group Policy, that you're looking for is "Audit object access", located in the "Audit Policy" sub-node of the "Local Policy" sub-node of the "Security Settings" sub-node of the "Windows Settings" sub-node of "Computer Configuration" in Group Policy / Local Policy. Update group policy (GPUPDATE) for the change to take effect.
Once you've enabled that setting (for successs, failure, or both, depending on what you want to access) you'll need to add a SACL (System Access Control List) on the folder or files to allow auditing. In W2K3 you can modify the SACL by adding entries on the "Auditing" tab of the "Advanced" dialog access from the "Security" properties-sheet for the file or folder. If you want to audit access from only a particular user or group of users add them to the SACL. If you want to audit all access, just add "Everyone" with "Full Control" permission (success and failure, if you want to audit both) to the SACL.
After you've turned on auditing in the security policy, updated Group Policy, and marked the items you want to audit with a SACL you will start to see auditing events being logged in the "Security" event log of the machine hosting the files, like:
Event Source: Security Event ID: 560 Type: Success Audit Category: Object Access Descrption: Object Open: Object Server: Security Object Type: File Object Name: C:\Secret Docs\World Domination Plan\Chinchilla.txt Handle ID: 1904 Operation ID: {0,233543114} Process ID: 3356 Image File Name: C:\WINDOWS\system32\notepad.exe Primary User Name: EAnderson Primary Domain: LAPTOP01 Primary Logon ID: (0x0,0x1C744) Client User Name: - Client Domain: - Client Logon ID: - Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) WriteData (or AddFile) AppendData (or AddSubdirectory or CreatePipeInstance) ReadEA WriteEA ReadAttributes WriteAttributes Privileges: - Restricted Sid Count: 0 Access Mask: %18The "Image File Name" shows the name of the process peforming the access. You won't see "Image File Name" in auditing entries created by access to the files over "File and Print Sharing", though. (I'm not sure that there is a compelling "story" for long-term auditing of remotely-accessed files. You'd have to do "Process Tracking" on the remote client at the very least, and even then I don't think you'd be able to differentiate between access performed by various programs running under the remote user's context through any kind of correlation between the client and server computers' security logs...)
One way to do this is use a filter in Process Monitor, one of the Sysinternals tools. The help file has a similar example. This is not a core OS component though so you would need to check it's appropriate to install it.
You can download handle.exe from:
http://technet.microsoft.com/en-us/sysinternals/bb896655.aspx
Very useful for viewing open handles.