Powershell File/Folder Monitoring Script

Hi All,

I found this script online for monitoring files and folders, however I need to know the user name that made the change.

Is there any way I can edit this script to tell me the user name's?

thank you in advance,

Kelly

# make sure this folder exists. Script will monitor changes to this folder:
$folder = ’C:\MonitorTest’
$timeout = 1000
$FileSystemWatcher = New-Object System.IO.FileSystemWatcher $folder
Write-Host ”Press CTRL+C to abort monitoring $folder”
while ($true) {
$result = $FileSystemWatcher.WaitForChanged(‘all’, $timeout)
if ($result.TimedOut -eq $false)
{
Write-Warning (‘File {0} : {1}’ -f $result.ChangeType, $result.name)
}
}
Write-Host ’Monitoring aborted.’

Open in new window

Kelly GarciaSenior Systems AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Robin CMSenior Security and Infrastructure EngineerCommented:
The easiest way is to check the file owner. This will only tell you who created a new file, to find out who modified it is more difficult because by the time the file has been saved there may not be a lock on it anymore so without turning on file auditing and querying the logs I can't think of a way around that.
So this will tell you the owner of the file, which will be the account that created, but may not be the account that modified it (depending on how your permissions are set up).
# make sure this folder exists. Script will monitor changes to this folder:
$folder = ’D:\TD2’
$timeout = 1000
$FileSystemWatcher = New-Object System.IO.FileSystemWatcher $folder
Write-Host ”Press CTRL+C to abort monitoring $folder”
while ($true) {
    $result = $FileSystemWatcher.WaitForChanged(‘all’, $timeout)
    if ($result.TimedOut -eq $false){
        $Owner = ""
        $FilePath = Join-Path -Path $folder -ChildPath $result.Name
        if(Test-Path -Path $FilePath){
            $Owner = ((Get-Acl -Path $FilePath).Owner+" ")
        }
        Write-host ($Owner+$Result.ChangeType+": "+$Result.Name)
    }
}

Open in new window

0
Kelly GarciaSenior Systems AdministratorAuthor Commented:
Hi,

Thanks for the answer, however this tells the group within my machine that created the account.

E.g. BUILTIN\Administrators Created: New folder (3)
0
Kelly GarciaSenior Systems AdministratorAuthor Commented:
Also please can somone explain what the ...." File {0} : {1}’ -f " mean in the original script as I am trying to learn powershell.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Robin CMSenior Security and Infrastructure EngineerCommented:
You might not have the permissions set to grant full control to grant CREATOR OWNER then.
That's the best I can do given the abilities of the file system.
0
Kelly GarciaSenior Systems AdministratorAuthor Commented:
where it says  $result = $FileSystemWatcher.WaitForChanged(‘all’, $timeout)

how do i find out all the values that are applicable for WaitForChanged()
0
Robin CMSenior Security and Infrastructure EngineerCommented:
The bit of PowerShell you're asking about is using formatting (-f) as a way to merge variables into text. e.g.
write-host ("Hello {0} something {1}" -f "First","Second")
Personally, I prefer the method I used as it makes it easier to see what the resulting text is going to look like.
Formatting is useful in some scenarios, see some examples and an explanation here: http://www.computerperformance.co.uk/powershell/powershell_-f_format.htm
0
Robin CMSenior Security and Infrastructure EngineerCommented:
Google and/or MSDN.
MSDN is not the easiest technical resource to use, and usually involves lots of clicking through to further pages. The examples tend not to include PowerShell either, which is nice.
https://msdn.microsoft.com/en-us/library/s3tf46w9(v=vs.110).aspx
0
Kelly GarciaSenior Systems AdministratorAuthor Commented:
Thank you.
0
Robin CMSenior Security and Infrastructure EngineerCommented:
Yet another version, won't give you anything extra on locally created/modified files, and even for some remote files, but if the folder is accessed remotely this will tell you some more user info courtesy of Get-SmbOpenFile. You need to run it "as administrator" as a result.
$folder = ’D:\TD2’
$timeout = 1000
$FileSystemWatcher = New-Object System.IO.FileSystemWatcher $folder
Write-Host ”Press CTRL+C to abort monitoring $folder”
while ($true) {
    $result = $FileSystemWatcher.WaitForChanged(‘all’, $timeout)
    if ($result.TimedOut -eq $false){
        [string]$User = ""
        $FilePath = Join-Path -Path $folder -ChildPath $result.Name
        if(Test-Path -Path $FilePath){
            $SMBUserArray = Get-SmbOpenFile -IncludeHidden | Where-Object -Property Path -Like $FilePath
            if($SMBUserArray.Count -ge 1){
                $User = "SMB:   "+$SMBUserArray[0].ClientUserName+" "
            }else{
                try{
                    $User = "Owner: "+(Get-Acl -Path $FilePath -ErrorAction Stop).Owner+" "
                }catch{}
            }
        }
        Write-host ($User+$Result.ChangeType+": "+$Result.Name)
    }
}

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.