1

Is any event logged when a user/process overwrites files? (Win Server 2012 R2)

1 Answers1

2

Not unless you have auditing enabled for the files in question. Every write operation (that isn't on a HANDLE explicitly opened for append-only access) is effectively an overwrite (for example, when you save a file, the editor usually writes the whole file out again even if it's unchanged except to add some stuff to the end). The event log would explode.

If you want to turn on auditing, it's easy enough. Open Windows Explorer to the file (or directory) you want to audit, and open Properties on it. Go to the Security tab. Click Advanced and then go to the Auditing tab. To make any changes you'll need to be Admin (or have the ability to set the "System Access Control List" or SACL through an assigned privilege). Add a new SACL entry. Specify the user or group you want to audit ("Users" or "Everyone" are valid options). Choose whether to log only successful operations, only failures that were blocked by permissions, or both. Choose the types of access you want to audit for. For example, to log overwriting, you would audit the Write permission. If it's a directory, you can have the auditing SACL be inherited by files and subdirectories in the directory, or only apply to files and subdirs, just as with "normal" ACLs (technically called "Discretionary ACLs" or DACLs). You can add multiple SACLs, auditing different users and/or permissions.

CBHacking
  • 191
  • 3