Windows Audit: no security filesystem audit event for folder creation when it is created from command line

Alberto Gonzalez 1 Reputation point
2020-06-19T16:25:14.233+00:00

I am using windows native audit on windows 10 and windows server to detect file/folder creation, modify, rename, delete, etc and the windows audit is not something reliable although i setup everyone and create folders audit permissions it doesnt report anything. How can i detect a folder is created from windows audit?

  1. There is not any event in security events when a folder is created from powershell/cmd. ( mkdir folder )
  2. When the folder is created from explorer.exe there is an event 4663 with accessmask AppendData (or AddSubdirectory or CreatePipeInstance) of the parent folder but doesnt tell you what is the folder created.

How is it possible windows audit cant detect these events even if i have setup folder auditing to everyone and to all permissions (create folders, etc), what is the right way to audit folder creation?

Not Monitored
Not Monitored
Tag not monitored by Microsoft.
35,514 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Dave Patrick 425.7K Reputation points MVP
    2020-06-19T16:29:36.937+00:00

    Windows security is not currently supported here on QnA. They're actively answering question in dedicated forums here.

    https://social.technet.microsoft.com/Forums/en-US/home?forum=win10itprosecurity

    --please don't forget to Accept as answer if the reply is helpful--


    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    0 comments No comments

  2. Shane Townsend 1 Reputation point
    2020-06-22T12:13:32.253+00:00

    Get in detailed here about Command line process auditing: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/component-updates/command-line-process-auditing

    Enable “Audit object access” audit policy. To enable it :

    Run gpedit.msc, select the local computer policy then Computer Configuration → Policies → Windows Settings → Security Settings → Go to Local Policies → Audit Policy: Audit object access → Define :Success and Failures

    Go to "Advanced Audit Policy Configuration" → Audit Policies → Object Access:

    Audit File System → Define: Success and Failures

    Audit Handle Manipulation → Define: Success and Failures.

    1. Navigate to the folder, right-click it and select "Properties" Select the "Security" tab → "Advanced" button → "Auditing" tab → Click "Add" button:

    Select Principal: "Everyone"; Select Type: "All"; Select Applies to: "This folder, subfolders and files"; Select the following "Advanced Permissions": "Delete subfolders and files" and "Delete".

    Else, try - Lepide File Server Auditor which helps to track every critical changes in real time.

    0 comments No comments

  3. Alberto Gonzalez 1 Reputation point
    2020-06-22T13:17:34.06+00:00

    Thanks but logging commands doesn't solve my cases, if the folder is created from explorer or .net application api audit doesnt show anything, same for file renames, any way to capture file renames and creates using the standard audit? why is something so basic not included in windows?

    0 comments No comments