how to detect which files a process has accesssed

how to detect which files a process has accesssed

have you ever wondered which processes are accessing the files on a computer when doing work? it comes in handy for programmers and other IT professionals when you want to write a new piece of code or even look up into which services are being run on the computer. this is extra helpful for every IT professional to know so be sure to keep on reading.

Configure global monitoring for access to the file system and registry

Auditing critical resources helps uncover unwanted and suspicious activity. Such monitoring is useful for files with sensitive information or the registration. Global monitoring simplifies configuration, but produces more data in the log file. Since Windows 7 and Server 2008, Microsoft has supported an extended auditing model that is not limited to 9 activities as it used to be, but allows finely graded monitoring of access to system components. Under the extended monitoring policy, there are currently 53 settings in the GPO editor that affect different events.

SACL configuration required

What they have in common, however, is that once the auditing policy has been activated, the system access control list (SACL) on the resource side must first be configured before events are recorded. This can be a directory in the file system, a key in the registry or a container in the Active Directory.
auditing only affects a few objects, their SACL can be edited individually using GUI tools such as AD users and computers or the registry editor. But as soon as a large number of objects or computers are affected, this approach quickly reaches its limits.

how to detect which files a process has accesssed

Adjust SACL centrally via group policies

In this case, it is advisable in managed environments to configure the SACLs using group policies. For this purpose there is under => Policies => Windows Settings => Security Settings Computer Configuration a container for file system and the registry , so you SACL entries can be distributed centrally in this way.
One problem with the explicit SACL configuration is that it is relatively easy to lose track if you do it on many objects. Subsequently, at least with the GUI tools, it is not easy to determine which resource generates an audit trail for which events. Output SACL with PowerShell One could help oneself here with PowerShell, where the following command shows, using the example of the registry, how to list all keys for which the auditing was configured.
When calling, a little trick is necessary because Get-ChildItem supplies the path information in an incorrect format and therefore HKEYLOCALMACHINE must be replaced by HKLM.

Global object access monitoring

You can save yourself the effort of explicitly configuring the SACL on file system and registry objects if you configure the global monitoring of object accesses instead. For them is available at => Policies => Windows Settings => Security Settings => Advanced Audit Policy Configuration => Global Object Access Auditing Computer Configuration entries for the file system and registry .
If you open this, you must first check the Define policy setting check box before you can configure the policy. In the following dialog, click on Add , which opens another dialog that is identical to the one used to control monitoring directly in the registry or the file system. Here you select the principal (for example Everyone ) and then specify which type of access should be recorded. Since the policy monitors activity on all drives and in the entire registry, it should be remembered that a generous selection at this point will further increase the already considerable amount of data.

how to detect which files a process has accesssed

No change to the resources

The SACL configured here is then not written by the GPO to all objects on the target computer. Rather, it remains in the RAM and is only evaluated and applied when the registry or the file system is accessed. The monitored resource remains unchanged. This setting therefore specifies a single audit configuration for the file system and the registry. But the monitoring itself does not activate it; this has to be done separately for the respective resource as with the explicit SACL assignment. This is done under Advanced Monitoring Policy Configuration => Monitoring Policies => Object Access.


In addition to a simpler configuration, global monitoring has the advantage that it makes it easier to meet stricter compliance requirements. It is very easy to prove that you are auditing all files. The obvious disadvantage of this method is the considerable amount of data that such an audit trail produces in the event log. An evaluation on each individual host is usually unrealistic, so at least the log files will be merged on one computer. In practice, however, you will need software for log analysis that consolidates the entries and independently examines them for suspicious or undesired activities.