Affiliate Disclosure: By buying the products we recommend, you help keep the lights on at MakeUseOf. Read more.
My normal answer to this is that we need to enable auditing and set up object access audit policies. With that sentence I usually lose the person on the word auditing.
But now there is a simple portable application that can report on all your local Windows shared files as easily as downloading, running and starting up the application.
First we will download Share Monitor from Softpedia. After downloading the application go ahead and run it. You will see a screen that looks like this:
If you click the Start button in the upper left hand corner the application will start. If you do not have any Windows shared files on your computer than nothing will happen. If you do have shares on your computer, Share Monitor will start its magic.
I downloaded and ran Share Monitor on my office desktop machine. I then clicked the start button on the application, not changing anything and I still saw nothing! So I attempted to access my shared folders from my machine and then again from one of my local servers. I then saw my log start to grow. Let’s see what it did:
So over the two minute span I accessed 6 folders or files on two different shares.
- We can see the opened at field displays the date and time the share or file was opened.
- The closed at field shows when the file or folder was closed.
- The duration field computes the difference between those two fields.
- The user name is the logged in user who accessed your files or folders.
- The Type is the type of operating system used.
- The open mode can show read or write access.
- Finally the File/Folder field shows the object that was accessed.
Now how can we use this information? Well let’s take a look below:
Now if I needed to know who the hell changed my website’s footer file I could look at the Share Monitor log and see that on 3/31/2010 at 3:02 PM a user logged in as “Administrator” modified my file. How do I know that? Well that is the only entry with Write + Read access to the file. All the other entries list only read access. This means that those users COULD NOT have modified my file. My culprit is the Administrator!
Now this could be used to find someone deleting your files, editing stuff you do not want edited and all sorts of other creative things you want to track without the need for any auditing knowledge on Windows! And if you need to set up file sharing between a Mac and a PC check this article out from our very own Jackson Chung.
Do you have an easier method to do this? We would love to hear about it in the comments!