How to Track File or Folder Changes in Windows

In this Guide:

Tracking changes to files or folders in Windows is crucial for the security, compliance and troubleshooting. Windows provides built-in auditing capabilities to monitor who accessed, modified, or deleted files and folders. This guide walks you through the steps to enable and use this feature effectively.

Why Track File or Folder Changes?

Tracking file/folder changes helps for IT Admin to:

  • Identify unauthorized access or modifications.
  • Audit compliance with security policies.
  • Troubleshoot unexpected changes.

Steps to Track File or Folder Changes

1. Enable Audit Policy in Windows

Auditing must be enabled in Windows to track file and folder changes.

Steps:

  1. Press Windows + R, type gpedit.msc, and press Enter to open the Group Policy Editor.
  2. Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy.
  3. Double-click Audit Object Access and select Success and Failure.
  4. Click OK to save changes.

2. Configure Auditing for Specific Files or Folders

Once auditing is enabled, specify which files or folders to monitor.

Steps:

  1. Right-click the file or folder you want to monitor, then click Properties.
  2. Navigate to the Security tab and click Advanced.
  3. Switch to the Auditing tab and click Add.
  4. Click Select a Principal, enter Everyone, and click OK.
  5. Select the actions to audit (e.g., create, delete, modify) under Type.
  6. Click OK to apply the settings.

3. View Audit Logs in Event Viewer

Audit logs record file or folder changes and can be accessed via Event Viewer.

Steps:

  1. Press Windows + R, type eventvwr, and press Enter.
  2. Navigate to Windows Logs > Security.
  3. Look for Event IDs such as:
    • 4663: File or folder accessed or modified.
    • 4656: Permission requested for a file or folder.

4. Use PowerShell for Advanced Tracking

PowerShell can simplify log analysis.

Example Command:

Get-EventLog -LogName Security | Where-Object { $_.EventID -eq 4663 }

This command retrieves events related to file or folder changes.

Best Practices for File and Folder Auditing

  • Audit Only Critical Data: Limit auditing to sensitive files and folders to reduce log clutter.
  • Review Logs Regularly: Schedule periodic reviews to identify potential security incidents.
  • Backup Logs: Ensure audit logs are backed up to prevent tampering.

Relevant Articles

  1. Microsoft's Doc: Apply a basic audit policy on a file or folder
  2. How to Track Group Policy Changes
  3. How to Check Active Directory (AD) Event Logs

Frequently asked questions: