You might want to use the Audit Object Access.
The steps you have to follow:
- Enable the Audit object access in the Local Computer Policy.
- Enable auditing for the object you want to follow.
- From your application, use the EventLog.EntryWritten Event to detect the file opening event
Here's a simplistic sample usage, but you'll have to dig in the documentation in order to capture and log as you need to:
class Program
{
public static void Main()
{
EventLog myNewLog = new EventLog("Security", ".", "Microsoft Windows security");
myNewLog.EntryWritten += new EntryWrittenEventHandler(MyOnEntryWritten);
myNewLog.EnableRaisingEvents = true;
Console.ReadLine();
}
public static async void MyOnEntryWritten(object source, EntryWrittenEventArgs e)
{
await Task.Factory.StartNew(() =>
{
if (e.Entry.InstanceId == 4656 || e.Entry.InstanceId == 4663)
{
Console.WriteLine(e.Entry.Message);
}
});
}
}