Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Who accessed files on computer

Posted on 2009-04-09
9
Medium Priority
?
314 Views
Last Modified: 2012-05-06
Hi to all,

I am currently working on a project where users need to be able to see who accessed a file and when. I am working on a Windows 2003 server and the files are all Word 2007 documents, I also use Visual Studio 2008 for programming.
The users are exactly that: users. They don't know how to get the file history and that is why I need to come up with an application that can give them that information. Word just tracks who modified the file last and who created the file. Nothing in between.

My question: Is it possible to track who opened a file through VB.net? Even if I have to look at the event viewer or something else?

Any suggestions would be welcomed.

Thanks to all
0
Comment
Question by:ALawrence007
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 11

Expert Comment

by:bmatumbura
ID: 24106551
This utility may help: http://www.engagent.com/products/product_FileAudit.htm

but if you intend to develop your own, then you will have to enable object access auditing on the machine that is hosting the word files; then read the access log events from the security events log.
0
 
LVL 11

Assisted Solution

by:bmatumbura
bmatumbura earned 400 total points
ID: 24106569
0
 
LVL 5

Expert Comment

by:burningmace
ID: 24106583
The only way to do it would be to create a system service that calls NtQuerySystemInformation (I'll call this NTQSI from now on) periodically to get a list of open file handles. Then filter the results for files you want to check and then find the PID that owns the handle (it's in one of the structures for NTQSI) and use System.Diagnostics.Process.GetProcessById(pid).StartInfo.UserName to get the name of the user that has the file open.

However, this is completely limited to finding open handles and cannot tell you if the user actually modified data. I suppose you could periodically check the file's Last Modified date and when it changes look at the last set of results from NTQSI to see which user had a handle on the file, but it's not the most definitive of answers.

A few resources on NTQSI and file handles:
http://forum.sysinternals.com/forum_posts.asp?TID=14546&KW=open+handles
http://www.codeproject.com/KB/shell/OpenedFileFinder.aspx?fid=422864&df=90&mpp=25&noise=3&sort=Position&view=Quick&fr=26&select=2277170
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:ALawrence007
ID: 24110223
burningmace,

The code Project application you mentioned looked like it is exactly what I need. The only thing is I don't know C++ at ALL. How can I convert that to VB.Net or is there a sample of this in VB or C#?

I also don't need to see the modified data, all I need to see is who opened the file and when.

Thanks
0
 
LVL 5

Expert Comment

by:burningmace
ID: 24114169
It's not something that's easy to convert. As .NET languages are managed and C++ is unmanaged, every API declaration and structure would need to be re-written, then the code could be translated into C#. I'm not brilliant with C++ myself, and would probably have a hard time translating stuff like this. I can't do anything today (I'm going out later) and I'm working all tomorrow, so I might be able to get a bit of experimentation done tomorrow. In the meantime, take a look at pinvoke.net's information on all the APIs used in the C++ application (if you can't pick them out of the code, read the article that came with it for some starting points). There should be some sample .NET code for some of them, just to get you familiar with them before you start trying to use them in something as large scale as this.
0
 
LVL 5

Expert Comment

by:burningmace
ID: 24114196
Just spotted bmatumbura's comments above. I'd completely forgotten about NTFS auditing - it could be a really useful tool in this situation. To simplify the idea:

Server runs NTFS auditing on files/folders of your choice.
Users access the files on the server and the server saves these access logs to the security log.
You read the security log to find out a whole list of who accessed what when.

To access the event log, just type "eventvwr.msc" into the Start -> Run... box (WinKey+R if it's not there).

I seem to remember this requiring some form of domain controller service being set up, I'm not too savvy on network server features. It was something along the lines of all machines on the network have to be linked to the domain controller and all user accounts are to be stored on the server itself. I don't know your server setup so I can't really advise - besides, programming is more my thing.

If you can't get the results you need, try posting a question under the Windows Server section as they will have a much better grasp at it that most people in the VB.NET section.
0
 

Author Comment

by:ALawrence007
ID: 24138296
Guys,

NTFS auditing is up and running on the server. I can view all the log files, but now I need to be able to access that in my own application using VB.Net. My users don't know how to use the event log and that is why I need to add the functionality to my current application.

Any suggestions?

Thanks
0
 
LVL 5

Accepted Solution

by:
burningmace earned 1600 total points
ID: 24166129
The following code finds the security log and prints out all entries to the console. You can basically just filter out the logs you don't want by simple experimentation - first handle only logs with an EntryType of SuccessAudit or FailureAudit, then filter the results by looking for text that only NTFS audit logs have in their messages.
        Dim logs() As EventLog = EventLog.GetEventLogs()
        Dim sl As EventLog = Nothing
        Dim found As Boolean = False
        For i As Integer = 0 To logs.Length - 1
            If logs(i).LogDisplayName = "Security" Then
                sl = logs(i)
                found = True
            End If
        Next
        If Not found Then
            ' Error!
            MsgBox("Error - Security log not found.")
            Exit Sub
        End If
        For Each l As EventLogEntry In sl.Entries
            ' Do whatever you want with each log.
            Console.WriteLine(l.Message)
        Next

Open in new window

0
 

Author Closing Comment

by:ALawrence007
ID: 31568479
Thanks for the help and patience guys. Both got me to my solution in the end.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Calculating holidays and working days is a function that is often needed yet it is not one found within the Framework. This article presents one approach to building a working-day calculator for use in .NET.
It was really hard time for me to get the understanding of Delegates in C#. I went through many websites and articles but I found them very clumsy. After going through those sites, I noted down the points in a easy way so here I am sharing that unde…
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question