Solved

Who accessed files on computer

Posted on 2009-04-09
9
303 Views
Last Modified: 2012-05-06
Hi to all,

I am currently working on a project where users need to be able to see who accessed a file and when. I am working on a Windows 2003 server and the files are all Word 2007 documents, I also use Visual Studio 2008 for programming.
The users are exactly that: users. They don't know how to get the file history and that is why I need to come up with an application that can give them that information. Word just tracks who modified the file last and who created the file. Nothing in between.

My question: Is it possible to track who opened a file through VB.net? Even if I have to look at the event viewer or something else?

Any suggestions would be welcomed.

Thanks to all
0
Comment
Question by:ALawrence007
  • 4
  • 3
  • 2
9 Comments
 
LVL 11

Expert Comment

by:bmatumbura
ID: 24106551
This utility may help: http://www.engagent.com/products/product_FileAudit.htm

but if you intend to develop your own, then you will have to enable object access auditing on the machine that is hosting the word files; then read the access log events from the security events log.
0
 
LVL 11

Assisted Solution

by:bmatumbura
bmatumbura earned 100 total points
ID: 24106569
0
 
LVL 5

Expert Comment

by:burningmace
ID: 24106583
The only way to do it would be to create a system service that calls NtQuerySystemInformation (I'll call this NTQSI from now on) periodically to get a list of open file handles. Then filter the results for files you want to check and then find the PID that owns the handle (it's in one of the structures for NTQSI) and use System.Diagnostics.Process.GetProcessById(pid).StartInfo.UserName to get the name of the user that has the file open.

However, this is completely limited to finding open handles and cannot tell you if the user actually modified data. I suppose you could periodically check the file's Last Modified date and when it changes look at the last set of results from NTQSI to see which user had a handle on the file, but it's not the most definitive of answers.

A few resources on NTQSI and file handles:
http://forum.sysinternals.com/forum_posts.asp?TID=14546&KW=open+handles
http://www.codeproject.com/KB/shell/OpenedFileFinder.aspx?fid=422864&df=90&mpp=25&noise=3&sort=Position&view=Quick&fr=26&select=2277170
0
 

Author Comment

by:ALawrence007
ID: 24110223
burningmace,

The code Project application you mentioned looked like it is exactly what I need. The only thing is I don't know C++ at ALL. How can I convert that to VB.Net or is there a sample of this in VB or C#?

I also don't need to see the modified data, all I need to see is who opened the file and when.

Thanks
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 5

Expert Comment

by:burningmace
ID: 24114169
It's not something that's easy to convert. As .NET languages are managed and C++ is unmanaged, every API declaration and structure would need to be re-written, then the code could be translated into C#. I'm not brilliant with C++ myself, and would probably have a hard time translating stuff like this. I can't do anything today (I'm going out later) and I'm working all tomorrow, so I might be able to get a bit of experimentation done tomorrow. In the meantime, take a look at pinvoke.net's information on all the APIs used in the C++ application (if you can't pick them out of the code, read the article that came with it for some starting points). There should be some sample .NET code for some of them, just to get you familiar with them before you start trying to use them in something as large scale as this.
0
 
LVL 5

Expert Comment

by:burningmace
ID: 24114196
Just spotted bmatumbura's comments above. I'd completely forgotten about NTFS auditing - it could be a really useful tool in this situation. To simplify the idea:

Server runs NTFS auditing on files/folders of your choice.
Users access the files on the server and the server saves these access logs to the security log.
You read the security log to find out a whole list of who accessed what when.

To access the event log, just type "eventvwr.msc" into the Start -> Run... box (WinKey+R if it's not there).

I seem to remember this requiring some form of domain controller service being set up, I'm not too savvy on network server features. It was something along the lines of all machines on the network have to be linked to the domain controller and all user accounts are to be stored on the server itself. I don't know your server setup so I can't really advise - besides, programming is more my thing.

If you can't get the results you need, try posting a question under the Windows Server section as they will have a much better grasp at it that most people in the VB.NET section.
0
 

Author Comment

by:ALawrence007
ID: 24138296
Guys,

NTFS auditing is up and running on the server. I can view all the log files, but now I need to be able to access that in my own application using VB.Net. My users don't know how to use the event log and that is why I need to add the functionality to my current application.

Any suggestions?

Thanks
0
 
LVL 5

Accepted Solution

by:
burningmace earned 400 total points
ID: 24166129
The following code finds the security log and prints out all entries to the console. You can basically just filter out the logs you don't want by simple experimentation - first handle only logs with an EntryType of SuccessAudit or FailureAudit, then filter the results by looking for text that only NTFS audit logs have in their messages.
        Dim logs() As EventLog = EventLog.GetEventLogs()

        Dim sl As EventLog = Nothing

        Dim found As Boolean = False

        For i As Integer = 0 To logs.Length - 1

            If logs(i).LogDisplayName = "Security" Then

                sl = logs(i)

                found = True

            End If

        Next

        If Not found Then

            ' Error!

            MsgBox("Error - Security log not found.")

            Exit Sub

        End If

        For Each l As EventLogEntry In sl.Entries

            ' Do whatever you want with each log.

            Console.WriteLine(l.Message)

        Next

Open in new window

0
 

Author Closing Comment

by:ALawrence007
ID: 31568479
Thanks for the help and patience guys. Both got me to my solution in the end.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

More often than not, we developers are confronted with a need: a need to make some kind of magic happen via code. Whether it is for a client, for the boss, or for our own personal projects, the need must be satisfied. Most of the time, the Framework…
Learn about cloud computing and its benefits for small business owners.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now