A step-by-step guide on how to track, audit, and analyze file and folder creation, deletion, and modification in Windows for security and compliance.
Monitoring changes to files and folders is a fundamental practice for maintaining system integrity, ensuring compliance, and investigating security incidents. Whether for forensic analysis after a breach, meeting regulatory requirements like HIPAA or GDPR, or simply troubleshooting an issue, file system auditing provides an essential record of all activity.
This guide will walk you through a variety of effective methods, from built-in Windows tools to powerful third-party solutions, to help you track file creation, deletion, modification, and access.
This is the native method for tracking file system changes. It involves two key steps: first, enabling the auditing feature system-wide, and second, configuring specific auditing rules for the files and folders you want to monitor.
This setting tells Windows to record events related to file system objects in the Security log.
Press Windows + R, type secpol.msc, and press Enter.
In the left pane, navigate to Security Settings -> Local Policies -> Audit Policy.
Double-click "Audit object access."
Check the boxes for "Success" and "Failure."
Click OK to apply the changes.
Now, you must tell the system which folders to monitor.
Right-click on the file or folder you want to audit and select Properties.
Go to the Security tab and click Advanced.
Click on the Auditing tab, then click Add.
Click "Select a principal", type Everyone (or a specific user/group), and click OK.
In the "Auditing Entry" window, set the following:
Type: All (or Success/Failure for more specific tracking).
Applies to: This folder, subfolders and files.
Check the boxes for the actions you want to track, such as:
Create Files / Write Data
Create Folders / Append Data
Delete subfolders and files
Delete
Click OK and then Apply to save your changes.
Once auditing is enabled, Windows records all activity in the Security log. You can view these logs using the Event Viewer.
Press Windows + R, type eventvwr.msc, and press Enter.
In the left pane, navigate to Windows Logs -> Security.
The Security log can be very noisy. To find relevant events, use the "Filter Current Log..." option in the right-hand pane.
Filter for the following key Event IDs:
Event ID 4663: An object was accessed. This is the primary ID for file/folder changes, showing if a file was read, written to, or deleted.
Event ID 4656: A handle to an object was requested.
Event ID 4659: A handle to an object was closed.
Manually sifting through thousands of events in Event Viewer is tedious. PowerShell provides a much faster and more flexible way to filter and analyze the Security log data.
This command efficiently queries the event log for file system changes and formats the output into a readable table.
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4663} | Select-Object -Property TimeCreated, @{Name='User';Expression={$_.Properties[1].Value}}, @{Name='File';Expression={$_.Properties[6].Value}}, @{Name='Action';Expression={$_.Properties[7].Value}} | Format-Table -AutoSizeGet-WinEvent: A modern, highly efficient cmdlet for querying event logs.
-FilterHashtable: This filters events at the source, dramatically improving performance.
Select-Object: This creates a clean table with only the most relevant information: the time, the user who performed the action, the file path, and the action itself.
For organizations that require real-time monitoring, detailed reporting, and automated alerts, built-in Windows tools are often not enough. Specialized third-party software offers a more robust solution.
Real-Time Monitoring and Alerts: These tools can send instant notifications via email or other channels when a critical file is modified or deleted, allowing for immediate response.
Simplified Reporting: They provide pre-built, easy-to-read reports that summarize activity, making it simple to demonstrate compliance to auditors.
Advanced Analytics: Many tools use machine learning to detect unusual behavior, such as a user suddenly accessing thousands of files, which could indicate a compromised account.
Popular third-party solutions include FileAudit, Netwrix Auditor, and ManageEngine ADAudit Plus.
Be Selective: Avoid auditing entire drives like C:. Only enable auditing on critical folders containing sensitive data to prevent an overwhelming volume of log data that can impact performance.
Regularly Review Logs: Make log review a routine part of your security operations. Automate the analysis with PowerShell scripts or a third-party tool.
Secure Your Logs: Audit logs are a crucial record. Ensure they are protected from unauthorized access or modification to maintain their integrity.
Align with Compliance: Configure your auditing policies to meet the specific requirements of industry regulations like HIPAA, GDPR, or PCI-DSS.
By choosing the right method for your needs—whether it's the granular control of native Windows auditing or the powerful automation of a third-party tool—you can gain the visibility needed to maintain a secure and compliant environment.
Tracking changes helps in monitoring unauthorized access, ensuring compliance, and troubleshooting issues like accidental deletions.
Apply auditing only to the files or folders you want to monitor through the security settings.
You need administrative privileges to enable object access auditing and configure security settings.
Yes, configure auditing on the shared folder and enable auditing in the Advanced Sharing settings.