Share via

Windows Server 2012 R2 version How to check which user created this folder

Gao, Rui 0 Reputation points
2024-02-07T06:19:02.6733333+00:00

Hello, this sunday and monday we found there have 2 PCS of unknown folders on our file server (Windows Server 2012 R2), such as GameAssistant folder and Program Files (x86) folder, seeing from the folder property, we only could find the information, such as folder created time, folder size etc. couldn't find who created this folder? please be refernce the follow pic. User's image

we had settup the premission, only 2 group have the premission to access that up folder, until now we don't know which user to create this folder, now we check who created this folder on 2024-2-5 8:53AM, thank in advance. we had scan this server, didn't find out virus on the yesterday scanning. and check the "Security" properties, that also didn't find out the useful information. and we had check Windows Security event log and Windows Application event log, on that time period, we also didn't find out the usaful, clear information. my question is if that folder must be settup to open the "Auditing" in advance, then the Windows OS record the related informtion. if now we didn't settup the "Auditing", if have some way or tools could let us to check which user to create this folder, now we check who created this folder on 2024-2-4 and 2024-2-5, such as check from the regedit way or log way? or if have some tools could help us to check? Thank in advance.

Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,542 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marius Ene 335 Reputation points
    2024-02-08T18:41:27.65+00:00

    Hi, Event ID 4663 typically indicates an attempt to access an object (such as a file or folder) and includes information about the user account, the object being accessed, the type of access requested, and more. Here's an example of what an Event ID 4663 might look like in the Windows Event Log:

    Event ID: 4663
Source: Microsoft-Windows-Security-Auditing
Log: Security
Description: An attempt was made to access an object.

Subject:
    Security ID:        ACME\JohnDoe
    Account Name:       JohnDoe
    Account Domain:     ACME
    Logon ID:           0x123456

Object:
    Object Server:      Security
    Object Type:        File
    Object Name:        C:\ExampleFolder\NewFolder
    Handle ID:          0x789abc
    Operation Type:     Object Open
    Access Mask:        0x1

Process Information:
    Process ID:         0xabcdef
    Process Name:       C:\Windows\explorer.exe

Additional Information:
    Access Request Information:
        Transaction ID:     {00000000-0000-0000-0000-000000000000}
        Accesses:           READ_CONTROL
                            SYNCHRONIZE
                            ReadData (or ListDirectory)
                            ReadAttributes
                            ReadExtendedAttributes
        Access Reasons:     READ_CONTROL: Granted by D:(A;;0x1200a9;;;AC)
                            SYNCHRONIZE: Granted by D:(A;;0x1200a9;;;AC)
                            ReadData (or ListDirectory): Granted by D:(A;;0x1200a9;;;AC)
                            ReadAttributes: Granted by D:(A;;0x1200a9;;;AC)
                            ReadExtendedAttributes: Granted by D:(A;;0x1200a9;;;AC)
        Access Mask:        0x120089
        Privileges Used for Access Check: -
        Restricted SID Count: 0

    In order for events like folder creation to be logged in the Windows Event Log, you need to enable auditing for the corresponding actions. Auditing allows you to track and monitor various activities on your system, such as file and folder access, account logon events, system events, and more. To enable auditing for folder creation (or any other action):

    1. Enable Auditing Policy You need to configure the appropriate audit policy settings in the Group Policy Editor or Local Security Policy to specify which types of events you want to audit. This includes enabling auditing for object access.
    2. Configure Object Access Auditing After enabling auditing policy, you need to configure object access auditing specifically for the folders or files you want to monitor. This is done by modifying the security settings for the folder or file properties and enabling auditing for specific actions such as "Create files / write data". Have a look here: Audit object access
    3. View Event Logs Once auditing is enabled and configured, events related to the audited actions will be logged in the Windows Event Log. You can view these logs using the Event Viewer tool. Here are the steps you can follow:
    4. Open the Group Policy Editor by typing "gpedit.msc" in the Windows search bar and pressing Enter.
    5. Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy.
    6. Enable auditing for object access by configuring the "Audit object access" policy setting.
    7. Apply the changes and close the Group Policy Editor.
    8. Right-click on the folder you want to audit, select "Properties", then go to the "Security" tab.
    9. Click on the "Advanced" button, go to the "Auditing" tab, and add the desired users or groups.
    10. Select the types of access you want to audit (e.g., "Create files / write data") and apply the changes.
    11. After some time, events related to folder creation should start appearing in the Security Event Log. Good luck! Marius ENE - https://mariusene.com/