• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 310
  • Last Modified:

show file server hits

I have a product that is supposed to be able to write files out to a network share.  The problem is that I have no way to track exactly when and if the system made an attempt to write a file to the network share.  The system supplied by the vender is set up on a cluster of servers and has several accounts on the domain that it uses internally.  We are trying to create reports/files using its built in Ad-Hoc query tool and supplying a network path as a location for the file. Problem is, I don't know which account the report tool will use to try to create the file and I don't know were if any would the attempt be logged if it tried and failed.


  • 4
  • 3
1 Solution
You can turn on auditing for successes and failure on the file server.  
sidwelleAuthor Commented:
Can you tell me where to turn that feature on ?
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

sidwelleAuthor Commented:
That is a good tutorial.  Why so much redundancy in the audit ?

The file that I am editing is in a subfolder, one folder deep from where the root folder for auditing was set. But it's like the log shows an event for the folder, sub-folder, and object.

Looks like I see this pattern about 3 times:
1.) An handle to an object was requested.
2.) An attempt was made to access an object.
3.) The handle to an object was closed.

Here is the log entries for this edit in Ascending order:
1.) An account was successfully logged on.
2.) A network share object was accessed.
3.) A handle to an object was requested.
4.) An attempt was made to access an object.
5.) The object handle was closed.
6.) An object handle was requested.
7.) The object handle was closed.
8.) An object handle was requested.
9.) An attempt was made to access an object.
10.) The handle to an object was closed.
11.) An handle to an object was requested.
12.) An attempt was made to access an object.
13.) The handle to an object was closed.

You would have to ask Microsoft.  They are the ones that created this.

Without looking at the detail of the audit logs, each entry may be showing you different things.

The account successfully logged in, is of course saying that your user-id and password was O.K.

The network share object represents the share you are accessing.  Since you could access multiple shares on the same server, it needs to tell you exactly what share you are going after.  Each share could have its own security so it needs to show that.

Accessing the object I believe would be the actual file and, once again, since you could access multiple files under the same share it has to show each file you are trying to access.  

I'm not sure about the handle's, you might be able to look at the details but this could be related to actually opening and closing the file and if you are opening it in write or read only mode.  

The difference between "object" and "handle" may be what you are actually doing.  The "object" could be looking at the file's attributes where as the handle is the actual reading/writing of the file.
sidwelleAuthor Commented:
The audit is clumsy, but I can get what I need form it.

Thanks for the help.
I personally have not used it, but you may want to try:


I have been told that it is a fairly decent tool.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now