Which user caused FileSystemWatcher events?

StackOverflow https://stackoverflow.com/questions/1286137

  •  18-09-2019
  •  | 
  •  

Question

For example, I can catch the Delete event for various files in a folder tree, but how would I go about determining which user caused the delete to happen?

I couldn't find anything obvious in the MSDN documentation for FileSystemWatcher, so maybe it is just not possible. I'd be curious if there is a solution however.

Was it helpful?

Solution

This isn't currently possible with the current implementations of the FileSystemWatcher as it does not receive this type of information when a file is deleted, or anything about a file changes.

OTHER TIPS

It is possible using Folder Auditing (folder Properties > Security > Advanced Options > Auditing) and then looking up the Security Event Log after the FileSystemWatcher event fires.

string GetUser(string path) {
    object nowDate = Now;
    GetUser = "Unknown";
    Threading.Thread.Sleep(1000);
    // # Search user in the security event log
    object secLog = new EventLog("Security", EVENTLOGSERVER);
    EventLogEntry entry;
    for (int i = (secLog.Entries.Count - 1); (i <= Math.Max((secLog.Entries.Count - 1500), 0)); i = (i + -1)) {
        entry = secLog.Entries(i);
        if (IsValidEntry(path, nowDate, entry)) {
            GetUser = entry.ReplacementStrings(11);
            break;
        }
    }
}

bool IsValidEntry(string path, DateTime nowDate, EventLogEntry entry) {
    return ((entry.EntryType == EventLogEntryType.SuccessAudit) 
        && ((entry.InstanceId == 560) || (entry.InstanceId == 564)) 
        && !entry.UserName.EndsWith("SYSTEM")
        && (Math.Abs(nowDate.Subtract(entry.TimeGenerated).TotalSeconds <= 20) 
        && (entry.ReplacementStrings.GetUpperBound(0) >= 11) 
        && (entry.ReplacementStrings(2).Length >= 4) 
        && path.EndsWith(entry.ReplacementStrings(2).Substring(4)));
}

It doesn't seem like there's any functionality built into .NET that can help you with that, but with the help of the function NetFileGetInfo in Netapi32.dll, it should be possible.

Take a look at this thread where the user dave4dl has posted a code sample that shows how to do it.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top