tags:

views:

307

answers:

3
+3  Q: 

How to determine who changed a file?

In Windows, how can I programmatically determine which user account last changed or deleted a file?

I know that setting up object access auditing may be an option, but if I use that I then have the problem of trying to match up audit log entries to specific files... sounds complex and messy! I can't think of any other way, so does anyone either have any tips for this approach or any alternatives?

A: 

The only way I know of to do this is to set up a FileSystemWatcher and keep it running. Oh, and if it's across a network drive, it may randomly lose connection, so it may be good to force a disconnect/reconnect every few hours just to make sure it has a fresh connection.

Jerry  2009-11-05 19:50:32
While FileSystemWatcher will capture changes to files, I don't think it will capture _who_ change files
Cocowalla  2009-12-01 09:40:29
+2  A: 

You could always create a file system filter. This might be overkill, but it depends on your purposes. You can have it load at boot and it sits behind pretty much every file access (its what virus scanners usually use to scan files as they are accessed).

Simply need to log the "owner" of the application that is writing to the file.

Also see the MSDN documentation

Grant Peters  2010-03-24 12:01:45
I don't believe such a filter can be written in managed code though?
Cocowalla  2010-03-24 12:05:34
@Cocowalla: Nope, that's not possible (or to be more exactly: this will to massive problems within your OS and should by avoided under any circumstances)
Oliver  2010-03-24 12:41:06
+2  A: 

You can divide your problem into two parts:

  1. Write to a log whenever a file is accessed.
  2. Parse, filter and present the relevant information of the log.

Of those two part 1, writing to the log is a built in function through auditing as you mention. Reinventing that would be hard and probably never get as good as the builtin functionality.

I would use the built in functionality for logging by setting up an audit ACL on those files. Then I would focus my efforts on providing a good interface that reads the event log, filters out relevant events and presents them in a way that is suitable and relevant for your users.

Anders Abel  2010-03-25 14:08:19
So you are advocating matching up Windows object audit log entries with filenames?
Cocowalla  2010-03-25 15:07:31
Yes I do. The file names are written in clear text in the event log entry, so it shouldn't be too hard. At least it should be a lot more simple than writing a good file activity monitor, as it would probably require a file system filter as suggested by Grant Peters.
Anders Abel  2010-03-25 15:57:35

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?