Tracking File Deletion, Creation and Modify actions

Welcome Guest.

You haven't logged in yet. If you don't have an account you can register now.

Forums › IT Pro and developers › Tracking File Deletion, Creation and Modify actions - Windows

Aaroona

3204 posts

Uber Geek
+1 received by user: 169

#230759 12-Mar-2018 11:40

I am embarking on a journey to monitor certain critical files within our environment.
Windows event logging appears to give me information when someone uses certain rights against files when auditing in enabled, so from that perspective, Check!

The problem I am running into is that when you create a file, a 4663 event is not generated - for some reason it's not being seen as a "write" access. I can use 4663 to monitor Modify/Write access to an EXISTING file and delete actions against a file, but I can't seem to get this last piece of the puzzle.

There seems to be a lot of mixed information out, some have said 4656 events, but those are requests against an object, and not necessarily the action taken against the file from what I've read.

Anyone else run into this? Is there a way to track this info accurately with event logging?

Aaroona

3204 posts

Uber Geek
+1 received by user: 169

#1977106 15-Mar-2018 12:43

I'm surprised to see there are no answers or suggestions here.

I'm going to follow up with Microsoft directly and see what they come back with. The more I dig, the more I don't think there's a straight forward answer.

plas

456 posts

Ultimate Geek
+1 received by user: 59

#1977165 15-Mar-2018 13:25

I use https://www.lepide.com/lepideauditor/file-server-auditing.html to monitor file servers. If I remember correctly event logs don't record enough events to be useful.

News and reviews »

New ECOVACS DEEBOT T80S OMNI Available Now
Posted 9-Apr-2026 11:11

Ring Brings 4K Video to Battery-Powered Doorbells
Posted 9-Apr-2026 11:01

Synology Announces a New Privacy-First Home Monitoring Experience for BeeStation Plus
Posted 9-Apr-2026 10:02

GIGABYTE X870E AERO X3D DARK WOOD Redefines the Motherboard
Posted 7-Apr-2026 14:06

Datacom Acquires Auckland Data Centre from T4
Posted 2-Apr-2026 09:43

Spark Launches Satellite Service with SMS and data options
Posted 2-Apr-2026 09:16

Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Support Geekzone »

You can support Geekzone with a one-off or recurring donation via PressPatron.

RSS feeds: Main feed; Forums feed

Site features: Geekzone BI dashboard; Geekzone Badges; Geekzone Status Page

Site Information: Subscribe to Geekzone; Privacy Statement; Forum Usage Guidelines (FUG); Advertising; Trademark and copyright