How to Check Who Last Modified a File in Windows?

Track Files and Folders Modifications with Lepide Auditor
3 min read | Updated On - September 04, 2024
In This Article

Tracking file and folder modifications is vital for safeguarding data and systems. By monitoring changes, unauthorized access or alterations can be quickly identified and addressed, problems related to file access or permissions can be troubleshooted, and evidence can be provided in the case of a security incident.

In this article we will explore the native method for tracking who last modified a file in Windows using Event Logs and a more straightforward method using the Lepide Auditor for File Server.

Using the Native Method

To be able to track changes to files and folders in Windows, it is necessary to first enable auditing for the desired files and folders. Once auditing is enabled, Windows will document all access and modification events in the security event log.

Step 1- Enable Auditing at Server Level

To enable auditing at server level follow the steps below:

  • Select Start, Administrative tools, Local security policy snap-in
  • Expand Local policy, Audit policy
  • Go to Audit object access
  • Select Success/Failure (as needed)
  • Confirm your selections and click OK

Step 2 – Enable Auditing at Object Level

To enable auditing at object level follow the steps below:

  • Navigate Windows Explorer to the file you want to monitor
  • Right click on the target folder/file and select Properties, Security, Advanced
  • Select the auditing tab
  • Click the ADD button
  • Choose the users or groups you want to give audit permissions to
  • In the Auditing Entry dialog box, select the types of access you want to audit. You need to select Success events separately to Failure events. Click OK when finished
  • Verify your selections and click APPLY

Step 3 – Search the Event ID 4656

Please follow below steps to search relevant Event ID:

  • Open ‘Event Viewer’
  • Expand ‘Windows Logs’ → Select ‘Security’ → Click on ‘Filter Current Log..’
  • Enter the Event ID 4656
    Enter the Event ID
  • When all the events having ID are listed, double-click on any event to see its details. Check the ‘Account Name’ to see who modified the file.
    event details

How Lepide Helps

An alternative, more straightforward method of monitoring user activity is to use the Lepide Auditor for File Server which captures file and folder events in both Windows File Servers and NetApp filers.

The ‘All File Server Interactions Report’ is one of the many reports included within the Lepide’s file server auditing section and displays detailed information about all changes that have been made by users in file systems. Below is an example of the ‘All File Server Interactions Report’:

File Interaction Report

To run this report:

  • From the Lepide Auditor, Reports screen, expand File Server and select All File Server Interactions
  • Specify a date range and click Generate Report
  • The report will generate and can then be filtered, sorted and exported to CSV and PDF format

Track Files and Folders Modifications with Lepide Auditor