How to Track File/Folder Creation and Deletion in Windows

Keeping an eye on changes to files and folders in Windows is essential for keeping your system secure, compliant, and running smoothly. Whether you're a system admin or just someone who values security, tracking these changes can be a big help for security audits, data recovery, troubleshooting, and meeting those pesky regulatory requirements.

In this article, we’ll dive into a variety of effective methods from the built-in tools in Windows to some handy third-party options, for monitoring file system activity.

Methods for Tracking File and Folder Changes

1. File System Auditing:

• How it Works: Configures detailed auditing rules for specific files or folders.
• Step 1: Enable Audit Object Access
  • Open Local Security Policy:
  • Press Win + R, type secpol.msc and hit Enter.
  • Navigate to Security Settings, then Local Policies, and finally to Audit Policy.
  • Double-click on Audit Object Access and choose Success and Failure.
  • Click OK to save your changes.

• Step 2: Configure File/Folder Auditing
  • Right-click on the file or folder you want to keep an eye on and select Properties.
  • Head over to the Security tab and click on Advanced.
  • Switch to the Auditing tab and click Add.
  • Click Select a Principal, type Everyone, and hit OK.
  • In the Auditing Entry window: Choose Success and Failure. Check Create files/Write data, Delete subfolders and files, and Delete.
  • Click OK to apply your settings.

• Limitations:

  • It can really slow down your system if you use it too much.
  • You need to configure it carefully to avoid generating too much log data.

2. Track Changes in Event Viewer

• How it Works: This feature taps into the built-in Event Viewer to keep a record of system events, including any changes made to the file system.
• Key Event IDs:
  • 4663 (Object Access): This ID gives you insights into various operations involving files and folders, such as when they are created, deleted, modified, and more.
  • 4656 (Handle Created): This indicates that a request was made for an access handle to an object.
•  
• Limitations: It can produce a significant amount of log data. Manual filtering and analysis are necessary. PowerShell:

3. PowerShell:

• How it Works: It uses the Get-WinEvent cmdlet to dynamically filter and pull security logs that pertain to file system events.
• Example: PowerShell

  • Get-WinEvent -FilterHashtable @{LogName="Security"; ID=4663} | Format-Table TimeCreated, Message -AutoSize

• Benefits: Offers flexibility and automation for analyzing logs. Can be incorporated into scripts for ongoing monitoring.

4. Third-Party Tools:

• How it Works: These specialized tools provide advanced features like real-time monitoring, detailed reporting, and alerts
• Examples:
  • FileAudit: Offers comprehensive tracking and alerts for any file changes.
  • Netwrix Auditor: Provides detailed audit reports for file and folder access. ManageEngine ADAudit Plus: Delivers advanced auditing and reporting for files and folders.

Best Practices:

• Minimize Performance Impact: Set up auditing rules thoughtfully to prevent excessive log data and reduce the impact on system performance.
• Regularly Review Logs: Make it a habit to analyze event logs frequently to spot and address any suspicious activities.
• Implement Security Measures: Protect audit logs from unauthorized access to ensure the integrity of the auditing process.
• Consider Compliance Requirements: Make sure your auditing practices align with relevant regulations and industry standards.

Keeping track of file and folder changes in Windows doesn’t have to be a headache, but it does take some careful planning. Whether you’re using the built-in auditing tools, digging through logs with PowerShell or opting for third-party software, the trick is to find the right balance between visibility and performance. By sticking to best practices and regularly checking your logs, you can have a better grip on your system’s integrity and security.

Relevant Articles

• Microsoft's Doc: Apply a basic audit policy on a file or folder
• How to Track Group Policy Changes
• How to Check Active Directory (AD) Event Logs
• How to Track File or Folder Changes in Windows