We help IT Professionals succeed at work.

Apps to monitor specific folders if it's being access by another apps

jana asked
We are going to be installing and testing a series of business apps and 2 apps developed by an outside programmer.  We wanted to know if there is an apps that we can installed, be left in memory and monitor if specific folders like "My Documents" are being accessed by these other apps.  Or maybe procedures of what we can do prior running the business apps so we can identified that these apps has accessed these folders.
Watch Question

Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015
Which OS? Assuming Windows, Process Monitor from www.sysinternals.com is a great tool to monitor file access (and more) based on filter conditions.
Exec Consultant
Distinguished Expert 2019
Indeed Sysinternal has tool for it too such as AccessChk (e.g. know what kind of accesses specific users or groups have to resources including files, directories, Registry keys, global objects and Windows services): http://technet.microsoft.com/en-us/sysinternals/bb664922

assuming it is windows, you can enable audit trails (e.g. Audit object access policy) for that folder of interest (e.g. Open the required shared folder properties and switch to the Security tab. Click Advanced → Auditing). Look out for event id 4663 (An attempt was made to access an object) http://blog.windowsnt.lv/2011/11/15/tracking-user-activity-english/...other ID also include below

5140 - A network share object was accessed.
4664 - An attempt was made to create a hard link.
4985 - The state of a transaction has changed.
5051 - A file was virtualized.
5031 - The Windows Firewall Service blocked an application from accepting incoming connections on the network.
4698 - A scheduled task was created.
4699 - A scheduled task was deleted.
4700 - A scheduled task was enabled.
4701 - A scheduled task was disabled.
4702 - A scheduled task was updated.
4657 - A registry value was modified.
5039 - A registry key was virtualized.
4660 - An object was deleted.
(older OS event id - http://blogs.msdn.com/b/ericfitz/archive/2006/10/26/how-are-object-access-events-generated.aspx)

Another suite candidate are the Nirsoft appls such as
- "LastActivityView" that collects information and displays a log of actions made by the user and events occurred on this computer. you can filter based on full path. There is a mentioned limit though, see more in   http://www.nirsoft.net/utils/computer_activity_view.html
- "OpenedFilesView" similar to prev tool and path filter can surface but rather  indirect as it also surface process locking certain files.. http://www.nirsoft.net/utils/opened_files_view.html
- "FolderTimeUpdate" list out the modified of the interested folder, but do note that not necessarily this can be accurate but will minimally give hints some access is performed http://www.nirsoft.net/utils/folder_time_update.html


Its windows 8 OS.

We tried Process Monitor prior placing the question, but can't to seem identify if specific folder or files has been access; can you let us know how?

Great Info!  Didn't know an apps for checking access of registry, objects & services) was out there; will proceed test!
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

The ProcMon filter should be set to
   "Path", "contains", "folder name here"
or, if you need to be more precise to get less entries
  "Path", "begins with", "C:\Folder\Folder\Folder"
You can also add a restriction for a single (!) process to monitor. Multiple "Process Name" entries will only work for excludes, no includes.
It is always a good idea with ProcExp to start more generic, and then stepwise exclude stuff you do not want to see. For efficiency make sure to have Filters » Drop Filtered Events ticked, so uninteresting log entries are not kept.


Ok, tried all tree apps.

Process Monitor:

Tried various ways, but can't seem to get it monitoring specific folders.

For example, we want to know when the folders 'C:\Users\username\Documents\' has been access (entered in, read, written, etc.).  We hit filter, but can't seem to set it up (see pic below)

Please advice on How-To.

The apps is only to display access attributes, it does not display when las access or how many times access.

Does exactly what we need but only displays "last viewed" not how many users.  Unfortunately it doesn't display the user.

We checked the site, can it be included?
btanExec Consultant
Distinguished Expert 2019

For ProcMon, you may also check out also Use Tools>File Summary. This tool will look at every single directory and will show how often it was opened, closed, etc. (Also bring the Path column to see it easily on the far right side of the window.). Otherwise, do focus on these two fields
Operation – this is the name of the operation that is being logged, and there is an icon that matches up with one of the event types (registry, file, network, process). These can be a little confusing, like RegQueryKey or WriteFile, but we’ll try and help you through the confusion.
Path – this is not the path of the process, it is the path to whatever was being worked on by this event. For instance, if there was a WriteFile event, this field will show the name of the file or folder being touched. If this was a registry event, it would show the full key being accessed.
Probably has to get use to it as the long list is pretty long and not easy to drill into specific, most likely you be using the Edit Filter option from the menu, or access the Filters section of the menu to display the list of filters and edit them in accordance to what you want to find out. You may also Drop Filtered Events using those that are not what you want to...http://blog.zensoftware.co.uk/2013/03/06/support-queries-shared-using-process-monitor-to-see-when-files-are-being-deleted/

Have more than one tool to validate find and reduce the noise
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

"last viewed" not how many users.  Unfortunately it doesn't display the user.
What's the user now coming in mean?

In regard of ProcMon filters, set up one for one process only, and exclude all folders you are not interested in.
btanExec Consultant
Distinguished Expert 2019

yes LastActivityView does not show user though it does track who has logon to the machine. so it is more assuming the current user account logon is generating the event. The OpenFilesView likewise did not show user but minimally show the process (name & id) performing the activity. The procmon is the regmon and filemon which is encompassing those info

Also the audit trail (audit object access) will be more comprehensive and integrated to Windows


Thanx for all the help.  For our purposes, 'LastActivityView' seemed to do the job.  Process Monitor seems more complete, but harder to understand; yet, we are trying to using both.

Prior closing the question we would like some link or documentation more easy-to-understand (or Dumb-Proof, ha-ha-ha) about Process Monitor.  Something that will tells what each field does, specially in the Filter window (the first pull-down where it shows 'Architecture, Authentication ID, Category' as per ID 40637570).
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Good luck in finding such doc :D.
If you start ProcMon, run it without filter, stop it short after a short time, right-click on the colums header and tick all columns, and then see what you get. That is the best way to understand what each filter condition can work on, as some are only appliable to processes, others to paths or files, or the registry. It is a complex tool, and best used by drilling down to what you really want to monitor by creating exclusion filters.
btanExec Consultant
Distinguished Expert 2019

maybe the easier is to get from the tool chm file, an extract but it seems to be lacking architecture
Application Details
Process Name The name of the process in which an event occurred.
Image Path The full path of the image running in a process.
Command Line The command line used to launch a process.
Company Name The text of the company name version string embedded in a process image file. This text is optionally defined by the application developer.
Description The text of the product description string embedded in a process image file. This text is optionally defined by the application developer.
Version The product version number embedded in a process image file. This information is optionally specified by the application developer.

Event Details
Sequence Number The relative position of the operation with respect to all events included in the current filter.
Event Class The class (File, Registry, Process) of the event.
Operation The specific event operation (e.g. Read, RegQueryValue, etc.).
Date & Time Both the date and the time of an operation.
Time of Day Only the time of an operation.
Path The path of the resource that an event references.
Detail Additional information specific to an event.
Result The status code of a completed operation.
Relative Time The time of the operation relative to Process Monitor's start time or the last time that the Process Monitor display was cleared.
Duration The duration of an operation that has completed.

Process Management
User Name The name of the user account in which the process that performed an operation is executing.
Session ID The Windows session in which the process that executed an operation is executing.
Authentication ID The logon session in which the process that executed an operation is executing.
Process ID The Process ID (PID) of the process that executed an operation.
Thread ID The Thread ID (TID) of the thread that executed an operation.
Integrity Level The integrity level at which the process that executed an operation is running (Windows Vista only).
Virtualized The virtualization status of the process that executed an operation (Windows Vista only).


Yup, Qlemo, that is what we are doing; trial-error and see how it work (real pain taking).  Thanx btan, we went by that, by like Qlemo said, run it and "see what you get".

Ok, thank you very much!  We really think that with your help, we have the tools for our project.


Hi, just wanted to add a couple of links, for EE members, that helped a lot to also understand Process Monitor:
(we found lots more, but these 3 were the most helpful)