How to track file changes in Windows
To track file changes by user account, you need easy access to the who, the what, and the when.
Published April 9, 2025)
When organizations talk about data security, what they’re talking about at the most basic level is monitoring access to files and folders.
However, this isn’t just about stopping external hackers. In many organizations, the threat from rogue insiders is just as significant. Employees may try to access files they don’t have permission to see. Perhaps by mistake, out of curiosity, or for malicious reasons.
Most organizations will have at least one story about an employee accessing or stealing sensitive files. Usually, they only discover the access after damage happens. In far more cases, these incidents go unnoticed, and the insider access remains invisible.
The answer is to monitor user account access to specific files and folders in real-time, as it happens, and retrospectively, looking back to analyze longer-term patterns of access.
The principle is simple: track which user accounts access which files, when, and what they do with that access. You want to see which user account opens, moves, edits or changes any files or folders. Ideally, that includes which access attempts the system denied.
You’ll notice we’re talking about “user accounts” rather than the individual user. This is important. In most cases, a user account correlates to the actions of the user assigned to that account.
But, a threat actor can also hijack a legitimate account. This is often the case in ransomware and data breaches. Monitoring user accounts through a well-designed policy is a chance to get an early warning of this.
Unfortunately, monitoring access to your file system isn’t a core element of the Windows platform. Native Windows tools such as Windows Event Viewer rely on manual processes to pinpoint the right event ID. And these processes tend to scale badly across a large network. It certainly doesn't make the monitoring or auditing process easy.
Microsoft did not build Windows Event Viewer as a file auditing tool.
The alternative is to write PowerShell scripts to automate the monitoring of tracking NTFS file permissions. That requires some expertise, and needs regular updates to take account of storage changes. The PowerShell approach also misses out on a certain level of detail and doesn’t deliver centralized reporting. For one, both of these together increase the risk of missing unauthorized access.
Importantly, the PowerShell approach can also fall short of automated reporting to prove data security compliance to auditors. After all, it’s not enough to detect unauthorized file access. Cybersecurity compliance standards and auditing often require IT to generate regular reports to document their oversight. It must control access to files but also prove that they are doing this, and show how.
FileAudit is designed to take the pain out of file monitoring and auditing. With a centralized console, FileAudit works without the need for agents on each server. This way, IT staff and designated team members can track user accounts' access to files and folders in Windows and major cloud platforms.
FileAudit event logs record every file access event, including reading, writing, deletion, permission and file attribute changes. FileAudit admins can see which user account accessed files at a given path, when, and from which IP address, domain, and machine name.
)
FileAudit supports cloud data monitoring, including platforms such as OneDrive for Business, SharePoint Online, Google Drive, Dropbox Business, and Box.
Customized email alerts can be created for specific events, for example:
Deleted files
Mass copying or movement, access at unusual times, or denied access
With FileAudit’s predefined PowerShell scripts (available from version 6.6, currently in beta), you can also quickly program automatic responses to triggered alerts. For example, logging off and disabling a user and computer account if a user account is deleting, copying or moving lots of files.
)
Thanks to FileAudit’s centralized archive, IT can generate report-style overviews to track users, their actions, and file access across time. IT gains valuable forensic insights, while supporting compliance standards such as GDPR, HIPAA, SOX, and FISMA.
)
FileAudit’s simple point-and-click interface is an important feature. File monitoring tools are often designed for use by IT experts, which means that the staff members who understand which files are the most critical — employees at departmental level, say — are excluded from the process.
FileAudit is simple and easy to use. IT can share, or delegate, file monitoring to the people who best understand the data they need to protect.
A common factor in almost every cyberattack — insider attacks, ransomware, data breaches — is an attempt to access sensitive files. Despite this, organizations often don’t have an easy way to monitor or analyze user access to files. Too often, this means that an unknown volume of unauthorized access slips under the radar.
Regulators understand the importance of file auditing, which is why the ability to monitor users and detect file manipulation is a key part of so many compliance standards.
The challenge is how to implement this. Native Windows tools require a lot of time and expertise to use even half effectively. Plus, they lack essential features such as centralized analysis and reporting.
FileAudit offers a simple way to overcome these problems with comprehensive real-time monitoring, retrospective analysis, and reporting to meet auditing requirements.
Perhaps most importantly, it allows organizations to move away from the traditional model of centralizing data monitoring inside IT departments, allowing non-technical employees to manage oversight for themselves.