Solved

Who accessed files on computer

Posted on 2009-04-09
9
308 Views
Last Modified: 2012-05-06
Hi to all,

I am currently working on a project where users need to be able to see who accessed a file and when. I am working on a Windows 2003 server and the files are all Word 2007 documents, I also use Visual Studio 2008 for programming.
The users are exactly that: users. They don't know how to get the file history and that is why I need to come up with an application that can give them that information. Word just tracks who modified the file last and who created the file. Nothing in between.

My question: Is it possible to track who opened a file through VB.net? Even if I have to look at the event viewer or something else?

Any suggestions would be welcomed.

Thanks to all
0
Comment
Question by:ALawrence007
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 11

Expert Comment

by:bmatumbura
ID: 24106551
This utility may help: http://www.engagent.com/products/product_FileAudit.htm

but if you intend to develop your own, then you will have to enable object access auditing on the machine that is hosting the word files; then read the access log events from the security events log.
0
 
LVL 11

Assisted Solution

by:bmatumbura
bmatumbura earned 100 total points
ID: 24106569
0
 
LVL 5

Expert Comment

by:burningmace
ID: 24106583
The only way to do it would be to create a system service that calls NtQuerySystemInformation (I'll call this NTQSI from now on) periodically to get a list of open file handles. Then filter the results for files you want to check and then find the PID that owns the handle (it's in one of the structures for NTQSI) and use System.Diagnostics.Process.GetProcessById(pid).StartInfo.UserName to get the name of the user that has the file open.

However, this is completely limited to finding open handles and cannot tell you if the user actually modified data. I suppose you could periodically check the file's Last Modified date and when it changes look at the last set of results from NTQSI to see which user had a handle on the file, but it's not the most definitive of answers.

A few resources on NTQSI and file handles:
http://forum.sysinternals.com/forum_posts.asp?TID=14546&KW=open+handles
http://www.codeproject.com/KB/shell/OpenedFileFinder.aspx?fid=422864&df=90&mpp=25&noise=3&sort=Position&view=Quick&fr=26&select=2277170
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 

Author Comment

by:ALawrence007
ID: 24110223
burningmace,

The code Project application you mentioned looked like it is exactly what I need. The only thing is I don't know C++ at ALL. How can I convert that to VB.Net or is there a sample of this in VB or C#?

I also don't need to see the modified data, all I need to see is who opened the file and when.

Thanks
0
 
LVL 5

Expert Comment

by:burningmace
ID: 24114169
It's not something that's easy to convert. As .NET languages are managed and C++ is unmanaged, every API declaration and structure would need to be re-written, then the code could be translated into C#. I'm not brilliant with C++ myself, and would probably have a hard time translating stuff like this. I can't do anything today (I'm going out later) and I'm working all tomorrow, so I might be able to get a bit of experimentation done tomorrow. In the meantime, take a look at pinvoke.net's information on all the APIs used in the C++ application (if you can't pick them out of the code, read the article that came with it for some starting points). There should be some sample .NET code for some of them, just to get you familiar with them before you start trying to use them in something as large scale as this.
0
 
LVL 5

Expert Comment

by:burningmace
ID: 24114196
Just spotted bmatumbura's comments above. I'd completely forgotten about NTFS auditing - it could be a really useful tool in this situation. To simplify the idea:

Server runs NTFS auditing on files/folders of your choice.
Users access the files on the server and the server saves these access logs to the security log.
You read the security log to find out a whole list of who accessed what when.

To access the event log, just type "eventvwr.msc" into the Start -> Run... box (WinKey+R if it's not there).

I seem to remember this requiring some form of domain controller service being set up, I'm not too savvy on network server features. It was something along the lines of all machines on the network have to be linked to the domain controller and all user accounts are to be stored on the server itself. I don't know your server setup so I can't really advise - besides, programming is more my thing.

If you can't get the results you need, try posting a question under the Windows Server section as they will have a much better grasp at it that most people in the VB.NET section.
0
 

Author Comment

by:ALawrence007
ID: 24138296
Guys,

NTFS auditing is up and running on the server. I can view all the log files, but now I need to be able to access that in my own application using VB.Net. My users don't know how to use the event log and that is why I need to add the functionality to my current application.

Any suggestions?

Thanks
0
 
LVL 5

Accepted Solution

by:
burningmace earned 400 total points
ID: 24166129
The following code finds the security log and prints out all entries to the console. You can basically just filter out the logs you don't want by simple experimentation - first handle only logs with an EntryType of SuccessAudit or FailureAudit, then filter the results by looking for text that only NTFS audit logs have in their messages.
        Dim logs() As EventLog = EventLog.GetEventLogs()
        Dim sl As EventLog = Nothing
        Dim found As Boolean = False
        For i As Integer = 0 To logs.Length - 1
            If logs(i).LogDisplayName = "Security" Then
                sl = logs(i)
                found = True
            End If
        Next
        If Not found Then
            ' Error!
            MsgBox("Error - Security log not found.")
            Exit Sub
        End If
        For Each l As EventLogEntry In sl.Entries
            ' Do whatever you want with each log.
            Console.WriteLine(l.Message)
        Next

Open in new window

0
 

Author Closing Comment

by:ALawrence007
ID: 31568479
Thanks for the help and patience guys. Both got me to my solution in the end.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question