Wednesday, December 12, 2007

Who changed that file?

Windows doesn't actually track who changes a file unless you tell it to. Right click on your directory -> Properties -> Security -> Advanced -> Auditing -> Add Everyone -> Check access control attributes you want to change (in my case "Write Attributes").

Start tracking changes using FileSystemWatcher and EventLog :

private void StartFileMon()
{
FileSystemWatcher fsw = new FileSystemWatcher();
fsw.Path = @"C:\test\temp";
fsw.EnableRaisingEvents = true;
fsw.Changed += new FileSystemEventHandler(fsw_changed);
}
private void fsw_changed(object Sender, FileSystemEventArgs E)
{
Console.WriteLine("The file" + E.FullPath + " was " + E.ChangeType.ToString() + " on " + System.DateTime.Now.ToString());
DateTime timespan = System.DateTime.Now.Subtract(TimeSpan.FromSeconds(60));
EventLog Log = new EventLog("Security");
EventLogEntry[] Entries = EventLogSearch.FindInstanceId(Log.Entries, 560);
Entries = EventLogSearch.FindTimeGeneratedAtOrAfter(Entries, timespan);
foreach (EventLogEntry Entry in Entries)
{
Console.WriteLine("Message: " + Entry.Message);
Console.WriteLine("InstanceId: " + Entry.InstanceId);
Console.WriteLine("Category: " + Entry.Category);
Console.WriteLine("EntryType: " + Entry.EntryType.ToString());
Console.WriteLine("Source: " + Entry.Source);
Console.WriteLine("Source: " + Entry.UserName);
}
}
public static EventLogEntry[] FindTimeGeneratedAtOrAfter(
IEnumerable logEntries, DateTime timeGeneratedQuery)
{
ArrayList entries = new ArrayList();
foreach (EventLogEntry logEntry in logEntries)
{
if (logEntry.TimeGenerated >= timeGeneratedQuery)
{
entries.Add(logEntry);
}
}
EventLogEntry[] entriesArray = new EventLogEntry[entries.Count];
entries.CopyTo(entriesArray);
return (entriesArray);
}
public static EventLogEntry[] FindInstanceId(IEnumerable logEntries,
int instanceIDQuery)
{
ArrayList entries = new ArrayList();

foreach (EventLogEntry logEntry in logEntries)
{
if (logEntry.InstanceId == instanceIDQuery)
{
entries.Add(logEntry);
}
}

EventLogEntry[] entriesArray = new EventLogEntry[entries.Count];
entries.CopyTo(entriesArray);
return (entriesArray);
}

Searching the EventLogs is slow so use common sense when doing this.

For more info buy this book: http://www.oreilly.com/catalog/csharpckbk2/

Posted by Kris Mattson at 3:31 PM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

digg / Technology

Loading...