none
Script to find all files modified by certain user RRS feed

  • General discussion

  • Hi guys,

    Could you please help me to make a script to find all files on one Server modified by certain user.

    Thank you

    • Changed type Bill_Stewart Monday, May 7, 2018 10:09 PM
    • Moved by Bill_Stewart Monday, May 7, 2018 10:09 PM This is not "teach me basics about security logging" forum
    Wednesday, March 7, 2018 7:08 AM

All replies

  • Hello,

    What have come up with so far?

    Post your code and we'll help you to adjust it to your needs bu we won't write you a script from scratch.

    Wednesday, March 7, 2018 8:07 AM
  • Thank you, I will.

    I was wondering if somebody already have something similar.

    Wednesday, March 7, 2018 9:51 AM
  • You cannot know who modified a file.  You can only know the Owner of the file

    Get-Childitem |%{$_.GetAccessControl().Owner}


    \_(ツ)_/

    Wednesday, March 7, 2018 5:54 PM
  • So the easy answer is to turn on File system auditing for your system.

    The caveat is that you're going to see a huge uptick in security events.  

    This link below shows you a decent example of how to turn it on.  Though it's geared more towards 2008 R2 it appears.  

    https://support.solarwinds.com/Success_Center/Log_Event_Manager_(LEM)/Enable_File_Auditing_in_Windows

    With auditing turned on, you can parse the security event log for event 4663 and use the following table to look for the access mask you need.  


    AccessMask Value

    Constant

    Description

    0 (0x0)

    FILE_READ_DATA

    Grants the right to read data from the file.

    0 (0x0)

    FILE_LIST_DIRECTORY

    Grants the right to read data from the file. For a directory, this value grants the right to list the contents of the directory.

    1 (0x1)

    FILE_WRITE_DATA

    Grants the right to write data to the file.

    1 (0x1)

    FILE_ADD_FILE

    Grants the right to write data to the file. For a directory, this value grants the right to create a file in the directory.

    4 (0x4)

    FILE_APPEND_DATA

    Grants the right to append data to the file. For a directory, this value grants the right to create a subdirectory.

    4 (0x4)

    FILE_ADD_SUBDIRECTORY

    Grants the right to append data to the file. For a directory, this value grants the right to create a subdirectory.

    8 (0x8)

    FILE_READ_EA

    Grants the right to read extended attributes.

    16 (0x10)

    FILE_WRITE_EA

    Grants the right to write extended attributes.

    32 (0x20)

    FILE_EXECUTE

    Grants the right to execute a file.

    32 (0x20)

    FILE_TRAVERSE

    Grants the right to execute a file. For a directory, the directory can be traversed.

    64 (0x40)

    FILE_DELETE_CHILD

    Grants the right to delete a directory and all the files it contains (its children), even if the files are read-only.

    128 (0x80)

    FILE_READ_ATTRIBUTES

    Grants the right to read file attributes.

    256 (0x100)

    FILE_WRITE_ATTRIBUTES

    Grants the right to change file attributes.

    65536 (0x10000)

    DELETE

    Grants the right to delete the object.

    131072 (0x20000)

    READ_CONTROL

    Grants the right to read the information in the security descriptor for the object.

    262144 (0x40000)

    WRITE_DAC

    Grants the right to modify the DACL in the object security descriptor for the object.

    524288 (0x80000)

    WRITE_OWNER

    Grants the right to change the owner in the security descriptor for the object.

    1048576 (0x100000)

    SYNCHRONIZE

    Grants the right to use the object for synchronization.

    Wednesday, March 7, 2018 10:29 PM
  • Thank you guys,

    I have audit enabled but because, as you mentioned before, the security log is huge, I've set 10Gb limit for that log that cover approximately 40-45 days. But I need to go for the 6 months back and find all files modified by one particular user. 

    Thursday, March 8, 2018 7:28 AM
  • If it's not in the security log, then you cannot retrieve that information.


    -- Bill Stewart [Bill_Stewart]

    Thursday, March 8, 2018 3:19 PM
  • I second this.  Unfortunately, unless you have your logs being forwarded to some sort of syslog, then there is no possible way to retroactively get the information you desire.

    If a syslog is out of the question, my recommendation is to have the have the security log save as an archive file.  You can then zip the file and either keep on your server and export it elsewhere.

    I do this for a server where there are requirements for file system auditing.   Below is part of a PowerShell script that I use to zip the archive.    The archives are 200 MB, and zipping them gives about a 98% space savings surprisingly.  By no means is this the best option as there are syslogs and products like lepide that can look at your event logs to give you this information.  Anyways, hope it helps some.

    $Files = Get-ChildItem "F:\SecurityEventLog\" -Recurse |? {$_.Name -like "Archive-Security*"}
    
    $FileCount = ($Files).Count
    
    if($FileCount -gt "0")
                {     
                ### Zip each Archive File###
                    foreach($file in $Files)
                        {
                            
                            $Name = $file.FullName
                            $ShortName = $file.Name
                            Write-Host "Attempting to Zip file $ShortName"
                                                                                       $ZipName = $Name -replace ".evtx",".zip"
                            $zip = "$ZipName"
                            New-Item $zip -ItemType file
                            $shellApplication = new-object -com shell.application
                            $zipPackage = $shellApplication.NameSpace($zip)
                            $zipPackage.CopyHere($file.FullName)
    
    }
    
    
    

    If you wanted to get real fancy you can copy the zipped file over to a destination with a simple copy item.

    Copy-Item $ZipName -Destination $ExportPath1

    Thursday, March 8, 2018 3:38 PM