logged file/folder creation,modification,deletion

Status
Not open for further replies.
L

lefnire

Beta member
Messages
3
I'm trying to debug an installer, and I want to make sure that installations are performed properly when I tweak some settings. What I want to do is compare the logged file/folder changes after a proper installation to the logged changes after a tweaked installations, and if all files/folders were created,changed,deleted in exactly the same way, I know the tweak install was ok.

So is there a system file that keeps track of all creation, modification, and deletion of file and folders? I think it might be ntuser.dat.log or software.log, but I'm not sure. I came to these two files by creating, modifying, and deleting randome files, then performing multiple "date modified" searches to find the files that are most frequently modified when I perform these operations.
The problem is, if one of these two files is the one I'm looking for, I can't access either of them since they are system files currently in use.

So my question is if there is a file that logs file/folder creation/mod/del and how to access this file if access is prevented.
 
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/519.mspx?mfr=true

Audit object access

Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy

Description
Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified.

If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Success audits generate an audit entry when a user successfully accesses an object that has a SACL specified. Failure audits generate an audit entry when a user unsuccessfully attempts to access an object that has a SACL specified. To set this value to no auditing, in the Properties dialog box for this policy setting, select the Define these policy settings check box and clear the Success and Failure check boxes.

Note that you can set a SACL on a file system object using the Security tab in that object's Properties dialog box.

Default: No auditing.
Click to expand...
 
this looks like my guy. Do you know if audits (if turned on) are logged in a file somewhere? also, I noticed the audits spot file alterations, but is there a way to show what alterations were made? for example, if I opened up a text file file, deleted some words, and saved it... is there anyway I can find out any more than that the text file was simply altered?
 
audit logs can be viewed in event viewer in security tab.


it wont show you what data has changed. It will just tell you that the data WAS changed.
 
Status
Not open for further replies.

Similar threads

P
Shared Folders and redirected Folders
Replies
0
Views
318
Paul Kinyanjui
P
J
Deleting files on my iphone
Replies
2
Views
754
Joe C
Joe C
Trotter
Files missing from drive in external enclosure
2
Replies
18
Views
2K
PP Mguire
PP Mguire
J
Problems with some apps not being able to save files in WIN 11 22H2
Replies
2
Views
749
Joseph Sami
J
Smart_Guy
I cannot search for some special characters like [!] on the File Explorer search bar in Windows 10.
Replies
8
Views
1K
Smart_Guy
Smart_Guy
Back
Top Bottom