UserName of the use who last modified a file in Windows

[mazen.s.m]

I have been trying to find a way to get the Domain and UserName of the
user that last modified a file.
I know how to get the owner of the file via WMI or Win32, but I can't
find a way to get the name of the user that last modified it. Is this
possible? I am using C#.

Thanks.

 

[Willy Denoyette [MVP]]

I have been trying to find a way to get the Domain and UserName of the
user that last modified a file.
I know how to get the owner of the file via WMI or Win32, but I can't
find a way to get the name of the user that last modified it. Is this
possible? I am using C#.

Thanks.

No, the system doesn't keep track of this, this is something you will have to do yourself.

Willy.

 

[mazen.s.m]

No, the system doesn't keep track of this, this is something you will have to do yourself.

Willy.

Thanks Willy. This is quite rubbish. If windows is recording and
keeping track of the "Last Modified" time, why not record the identity
of the person that did the modification as well. I am quite surprised
at that.
Cheers,

 

[Willy Denoyette [MVP]]

Thanks Willy. This is quite rubbish. If windows is recording and
keeping track of the "Last Modified" time, why not record the identity
of the person that did the modification as well. I am quite surprised
at that.
Cheers,

What you are asking is simply not possible, the costs of such generic book keeping is simply
too high. The system doesn't keep track of this for performance reasons, that's also why the
system only performs an access check at file "open" time and not for any IO following the
open.

Willy.

 

[Ignacio Machin \( .NET/ C# MVP \)]

Hi,

Thanks Willy. This is quite rubbish. If windows is recording and
keeping track of the "Last Modified" time, why not record the identity
of the person that did the modification as well. I am quite surprised
at that.
Cheers,

AFAIK this is true in all the OS, none record the user that modified the
file, just when the file was modified.

 

[Willy Denoyette [MVP]]

Hi,



AFAIK this is true in all the OS, none record the user that modified the file, just when
the file was modified.

No, not even when the file was modified, the system performs an access check at file open
time by checking the user's access token. Once the user has an handle to the file, he can do
whatever is possible given his token, the system does not perform any further check from
this point on. Note also that the system doesn't update the "last modified" time for each
write, the "last modified" time is only updated at file closing time provide that this time
is equal to the "last modified " time + 1 minute.


Willy.

 

[Laura T.]

You *could* activate object access auditing and then try to trace the audit
events... The audititing system traces the user's SID and the object access.
For there you *COULD* in theory to find out who was the last SID
manipulating the file.

The audit event 567 can trace that:
"
A permission associated with a handle was used.
Note: A handle is created with certain granted permissions (Read, Write, and
so on). When the handle is used, up to one audit is generated for each of
the permissions that was used. "

More of it here and why it's not worth of it (I've tried it):

http://blogs.msdn.com/ericfitz/archive/2006/03/07/545726.aspx

 

[Willy Denoyette [MVP]]

You *could* activate object access auditing and then try to trace the audit events... The
audititing system traces the user's SID and the object access. For there you *COULD* in
theory to find out who was the last SID manipulating the file.

The audit event 567 can trace that:
"
A permission associated with a handle was used.
Note: A handle is created with certain granted permissions (Read, Write, and so on). When
the handle is used, up to one audit is generated for each of the permissions that was
used. "

More of it here and why it's not worth of it (I've tried it):

http://blogs.msdn.com/ericfitz/archive/2006/03/07/545726.aspx

Agreed, that's something you can do on a restricted level, say per file basis or folder (by
activating the File auditing) depending on the systems activity (number of users number of
file accesses etc.), the problem is that the number of events can be so high, that the
security log fills very quickly. Also don't underestimate the performance impact of this,
especially on a servers, this kind of auditing is done to find illegal object attempts, not
really to audit success attempts.
Willy.

 

[Laura T.]

I agree. And I strongly advise to not use this method for general file
tracking.
A better way is to make a FS filter driver to track file usage. It's safer
and much faster.

 

[mazen.s.m]

"Ignacio Machin ( .NET/ C# MVP )" <machin TA laceupsolutions.com> wrote in message







No, not even when the file wasmodified, the system performs an access check at file open
time by checking theuser'saccess token. Once theuserhas an handle to the file, he can do
whatever is possible given his token, the system does not perform any further check from
this point on. Note also that the system doesn't update the "lastmodified" time for each
write, the "lastmodified" time is only updated at file closing time provide that this time
is equal to the "lastmodified" time + 1 minute.

Willy.- Hide quoted text -

- Show quoted text -

My point was that at the same time that windows is recording the "last
Modified" time, at closing or whenever its doing it, is to record the
user identity(Domain\user) at the same time. Not sure why this would
be such a masiv overhead!! But, I guess this is a design decision
since this effects performance per your comment above.
Thanks guys for all your input and information.
-Mazen