Solved

What files were accessed or modified

Posted on 2007-12-05
19
155 Views
Last Modified: 2010-08-05
Yesterday, someone has logged into my computer. I wanted to see if possible what files were accessed/modified.  I am using Windows 2000, with service pack 4.
0
Comment
Question by:jjrr007
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 8
  • 2
19 Comments
 
LVL 32

Expert Comment

by:and235100
ID: 20411429
You really need to enable auditing on the files/folders to make this easy (for the future)
http://support.microsoft.com/kb/310399
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/audittn.mspx

Otherwise - you would probably have to use a third-party tool to make it easy.
0
 
LVL 1

Author Comment

by:jjrr007
ID: 20411504
Thanks.  These links tell me how to enable auditing (I believe audting is already enabled).  What I'm interested in knowing is how to view what files were accessed/modied.  Could you please let me know a bit more about that?
0
 
LVL 32

Expert Comment

by:and235100
ID: 20411544
You can lookup the entries in the Security section of the Event log.
(start, run, type eventvwr <hit enter>)

If file auditing was enabled - you should see entries corresponding to when files were accessed - either Success (permission granted) or Denied (permission rejected).
0
Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

 
LVL 1

Author Comment

by:jjrr007
ID: 20411727
When you say event log, do you mean Event Viewer?
0
 
LVL 1

Author Comment

by:jjrr007
ID: 20411740
I see event viewer in Administrative Tools.  Could I look there?  Thanks.
0
 
LVL 32

Expert Comment

by:and235100
ID: 20411825
Yes - same thing.
0
 
LVL 1

Author Comment

by:jjrr007
ID: 20411912
Thanks.  I have that enabled.  What and where in there should I look for?
0
 
LVL 26

Expert Comment

by:souseran
ID: 20411986
You could also use Start | Search | For Files or Folders | All files or folders.

In "All or part of the file name" type *.*
In "Look in" make sure the drives you're interested in are selected.
There are additional options you can configure. One of them is "When was it modified?" Check the option for "Specify dates" and enter the date(s) of interest.
Under "More advanced options" select "Search subfolders." If you want to be thorough, you can also select "Search system folders" and "Search hidden files and folders" These are usually operating system files though, and some of them are routinely accessed by program processes. Assuming you're only interested in data files, "Search subfolders" should be sufficient.

The results of this search should give you all files that meet your criteria.
0
 
LVL 32

Expert Comment

by:and235100
ID: 20412086
Click on Security in the left-hand column, and you can r-click the Security object, and Filter the results - so that you only see entries during a specified period - i.e. when you think the "offense" occurred.
0
 
LVL 1

Author Comment

by:jjrr007
ID: 20412145
Thanks Souseran,
Will this search also tell me if a file was opened, but not modified?  Also, will this search tell me if a file was copied?  My assumption is that it will only tell me if a document was saved- is that right?

Thanks and235100,
I can go to Event Viewer.  I don't know where what to do from there. Could you please let me know?

0
 
LVL 32

Expert Comment

by:and235100
ID: 20412259
Take a look at the two screenshots here for the options you need to select:
https://filedb.experts-exchange.com/incoming/ee-stuff/6006-image1-2.GIF
https://filedb.experts-exchange.com/incoming/ee-stuff/6007-image2-2.GIF
(login with your EE username and password)
0
 
LVL 1

Author Comment

by:jjrr007
ID: 20412704
and235100,

Thanks. When I tried to filter the records by the username, I don't see any records for that individual.  yet, I that they logged in to the computer- by going to "documents and settings"- I see the username. I'm not allowed to filter by date-  that appears to be "locked down".  Is this information saved somewhere in a log file?  
0
 
LVL 26

Expert Comment

by:souseran
ID: 20413229
@jjrr007,

That search will only tell you if files were *modified.* It will also include any files that were created or saved during the period of interest, or on a particular date if your search is for one date only. To learn whether the files were *accessed*, follow the instructions provided by and235100.

If you follow both sets of instructions, some of the same files should appear in both the Event Viewer data and the Search data.
0
 
LVL 1

Author Comment

by:jjrr007
ID: 20413578
Thanks for your time everyone.

You are right.  With the search- I can only see if a file is saved (modified)

Using the Event Viewer, I searched by the date and was able to see some events.  However, I can't see if a file was accessed or opened using the Event Viewer.  Maybe I'm doing something wrong.  What steps should I take to view if a file was opened or copied in Event Viewer?
0
 
LVL 32

Accepted Solution

by:
and235100 earned 500 total points
ID: 20414336
You need to enable the correct auditing events on each file/folder you want to audit.
R-click the folder, select Properties, click on the Security tab, click Advanced, then click on the Auditing tab.
Add in the events that you want logged - i.e. "traverse folder contents", Success (if the user should not be accessing that object, but has the necessary rights) or Failure (if the user has no permission, but tries to get to the resource anyway)

Bear in mind - if the user is a domain admin - he/she can delete the records - and there is little point to audit a domain admin account - as they can remove the auditing.

Hope that helps.
0
 
LVL 1

Author Comment

by:jjrr007
ID: 20426726
This helps.  What I want to do is place Auditing on the entire C hard drive.  For the other folders on a different drive, I want it set-up so only I can access it.  

1. Can I do the same steps you mentioned above on the entire C drive for auditing?
2. If someone does try to go into a drive or folder with auditing, where in Event Viewer do  the results appear?
3.  How do I set-up the other folder (on a different drive) so only I can access it?

Thanks!


0
 
LVL 32

Expert Comment

by:and235100
ID: 20426940
1. Yes
2. You can view the logged entries in the security log
http://support.microsoft.com/kb/308427
3. You can set permissions so that you have Full Control on a folder - and no-one else will be able to access it.
http://www.windowsitlibrary.com/Content/592/1.html gives you some background on the options available to you.
0
 
LVL 1

Author Closing Comment

by:jjrr007
ID: 31412837
Thanks a lot.  You have quite a bit of knowledge on this.  
0
 
LVL 32

Expert Comment

by:and235100
ID: 20433697
Glad that I could help.
Thank you.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Configuring Remote Assistance for use with SCCM
Ever visit a website where you spotted a really cool looking Font, yet couldn't figure out which font family it belonged to, or how to get a copy of it for your own use? This article explains the process of doing exactly that, as well as showing how…
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question