Solved

Does Windows 7 log all files every opened?

Posted on 2011-09-02
4
299 Views
Last Modified: 2012-05-12
Hi

Im trying to find out whether windows retains a log of all files ever opened and what location is was launched from.

Thanks
D
0
Comment
Question by:daiwhyte
4 Comments
 
LVL 20

Accepted Solution

by:
netcmh earned 167 total points
ID: 36473741
Opening a file is a vague term. Applications and users "open" files differently.

Are you trying to get a log of user actions on a commonly shared file/s or folder/s? If so, then a versioning software might be the answer.

Since, the OS log files can only grow up to a limit, they tend to overwrite the oldest data. Not sure how long back you wanted to go.
0
 
LVL 5

Assisted Solution

by:ChopOMatic
ChopOMatic earned 167 total points
ID: 36473859
Unfortunately, the answer is no. There is a journal (USNJRNL) that maintains a record of file changes, but no system process that logs every open. Any such log would be prohibitively cumbersome to maintain IMHO. To see what I mean, download and run FILEMON. This will let you view file activity on your system in real time. Watch it for a few minutes, then imagine that a process like that is running 100% of the time and documenting that activity.
0
 
LVL 62

Assisted Solution

by:btan
btan earned 166 total points
ID: 36477141
Windows 7 does not keep the copy of the files ever opened.

Even at audit policy level [1], it goes as far as to just tracking all the files that are accessed by defined groups of (local/domain) users or even to per user audit trail. The event are captured provided the policy are enabled prior to those activities.

Windows has Shadow Copy (Volume Snapshot Service or Volume Shadow Copy Service or VSS) [2] which is a technology included in Microsoft Windows that allows taking manual or automatic backup copies or snapshots of data, even if it has a lock, on a specific volume at a specific point in time over regular intervals. The end result is similar to a versioning file system, allowing any file to be retrieved as it existed at the time any of the snapshots was made. But it is not necessarily triggered when document is opened. E.g. The shadow copy is not created every time a file is changed; backup copies are created automatically once per day, or manually when triggered by the backup utility or installer applications which create a restore point. For program installed, there is always a snapshot capture of the machine state, or they sometime called it restore point created.

There is possibility to track temp files but not necessary the copy of the final file. It is dependent on the application use to open the files. E.g For microsoft office, one of the possible area is stored in the Temp folder and there may be more [3]. The recently open file are also tracked by office [4]. Interesting for outlook attachment, there can be log of it too [5].

Overall, unless using third party product monitoring the file or you are setting up honeypot, it depends mostly on the application as well.
The logging of file is space eater hence probably tracking and logging the event may suffice. Just some thoughts


[1] http://social.technet.microsoft.com/wiki/contents/articles/advanced-security-auditing-in-windows-7-and-windows-server-2008-r2.aspx
[2] http://en.wikipedia.org/wiki/Shadow_Copy
[3] http://support.microsoft.com/kb/211632
[4] http://www.irongeek.com/i.php?page=security/windows-forensics-registry-and-file-system-spots#Recently%20Opened%20Office%20Docs
[5] http://www.irongeek.com/i.php?page=security/windows-forensics-registry-and-file-system-spots#Temp%20folder%20for%20Outlook%20attachments
0
 

Author Closing Comment

by:daiwhyte
ID: 36488458
Thank you.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Email 13 25
imaging websites 2 333
cyrillic/russian text in windows explorer on Windows Server 2007 Standard 4 240
server logs for forensics and maintaining integrity 7 140
The foremost challenge encountered by an investigator at the very beginning of a forensics investigation is, accessing a file/data to read/view its contents. Owing to the fact, a platform is necessary for both; opening as well as examining any file.…
In this era, as you know, cybercrime and other sorts of frauds using the internet has increased day by day. We should protect our information assets and confidential information from getting exploiting by the attacker or intruders. Most of the fraud…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now