I guess this is a tough one:
I have enabled auditing on a folder and let windows record write access to it ("create files/write data").
When I insert "ordinary" files, this works well and 1 file creates 1 eventlog entry - nice.
But If I copy files into it that have alternate data streams, I get 2 eventlog entries, which is very unpleasant, because I use eventlog task-triggering.
Can we tell windows somehow not to create separate event entries for alternate data streams?
Example log entry (on windows 8.1):
Object Name: \Device\HarddiskVolume8\auditFolder\testfile.pdf:Zone.Identifier