3

I have a script that monitors the filesystem using FileWatcher.IO in Powershell. Currently it finds the user that made the file with:

$owner = (Get-Acl $path).Owner

And it finds the computer that the file was made on with:

$Computer = get-content env:computername

But I'd also like to obtain what machine the file was created from. For instance, if a user is logged into a terminal server, I can see the file is made on the terminal server. But I want to know the host name of the local machine that made the file on the terminal server.

Is this possible? I've been searching the msdn PSEventArgs Class page without much success.

Cryptie
  • 31
  • 1
  • So you're running the script on every server, right? Watching a local directory/disk? Because `$env:computername` is only the machinename the script is running on, it won't help you if you're watching a remote folder (where anyone from any computer can add files) – Frode F. May 18 '16 at 18:27
  • Thank you Frode. It would appear as such. This is for a backend SAN wherein all users have write access, so that is correct. I tested myself, if I create a file on that share from my machine, the owner is still the server and not the originating host. – Cryptie May 18 '16 at 19:25
  • There's no easy way to get this. If it's a SAN, check for audit logs. If it can log the hostname/IP that executed the operation, then you have the client name. If the client-name is a terminal server, you can query it for the RDP-sessions where you can find information about user = Device (ex. by using `qwinsta` With text-parsing or the underlying Win32 API). But this can get ugly quick and has to be executed almost real time so you have enough time to get the RDP-session before the user logs off. – Frode F. May 18 '16 at 19:31

1 Answers1

3

That information is not going to be stored in the file or its metadata, so no there's no straightforward way to get at it.

By the way, you can just use $env:computername directly as a variable; there's no need to use Get-Content.

briantist
  • 45,546
  • 6
  • 82
  • 127