Hi, Event ID 4663 typically indicates an attempt to access an object (such as a file or folder) and includes information about the user account, the object being accessed, the type of access requested, and more. Here's an example of what an Event ID 4663 might look like in the Windows Event Log:
Event ID: 4663
Source: Microsoft-Windows-Security-Auditing
Log: Security
Description: An attempt was made to access an object.
Subject:
Security ID: ACME\JohnDoe
Account Name: JohnDoe
Account Domain: ACME
Logon ID: 0x123456
Object:
Object Server: Security
Object Type: File
Object Name: C:\ExampleFolder\NewFolder
Handle ID: 0x789abc
Operation Type: Object Open
Access Mask: 0x1
Process Information:
Process ID: 0xabcdef
Process Name: C:\Windows\explorer.exe
Additional Information:
Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
ReadAttributes
ReadExtendedAttributes
Access Reasons: READ_CONTROL: Granted by D:(A;;0x1200a9;;;AC)
SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;AC)
ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;AC)
ReadAttributes: Granted by D:(A;;0x1200a9;;;AC)
ReadExtendedAttributes: Granted by D:(A;;0x1200a9;;;AC)
Access Mask: 0x120089
Privileges Used for Access Check: -
Restricted SID Count: 0
In order for events like folder creation to be logged in the Windows Event Log, you need to enable auditing for the corresponding actions. Auditing allows you to track and monitor various activities on your system, such as file and folder access, account logon events, system events, and more. To enable auditing for folder creation (or any other action):
- Enable Auditing Policy You need to configure the appropriate audit policy settings in the Group Policy Editor or Local Security Policy to specify which types of events you want to audit. This includes enabling auditing for object access.
- Configure Object Access Auditing After enabling auditing policy, you need to configure object access auditing specifically for the folders or files you want to monitor. This is done by modifying the security settings for the folder or file properties and enabling auditing for specific actions such as "Create files / write data". Have a look here: Audit object access
- View Event Logs Once auditing is enabled and configured, events related to the audited actions will be logged in the Windows Event Log. You can view these logs using the Event Viewer tool. Here are the steps you can follow:
- Open the Group Policy Editor by typing "gpedit.msc" in the Windows search bar and pressing Enter.
- Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy.
- Enable auditing for object access by configuring the "Audit object access" policy setting.
- Apply the changes and close the Group Policy Editor.
- Right-click on the folder you want to audit, select "Properties", then go to the "Security" tab.
- Click on the "Advanced" button, go to the "Auditing" tab, and add the desired users or groups.
- Select the types of access you want to audit (e.g., "Create files / write data") and apply the changes.
- After some time, events related to folder creation should start appearing in the Security Event Log. Good luck! Marius ENE - https://mariusene.com/