Q: How can I track which users access a Windows file share, as well as how often they access it? Do the Windows auditing system and the security log provide any information I can leverage?
A: Starting with Windows Server 2008, Microsoft added a new Windows auditing subcategory to track share access–related data. This subcategory, called File Share, allows you to track the access to and creation, modification, and deletion of shared folders. Windows provides a different event ID for each of these four events as follows:
- 5140 when a network share is accessed
- 5142 when a network share object is added
- 5143 when a network share object is modified
- 5144 when a network share object is deleted
These events all indicate in the Subject field which user accessed the share or completed the share-related action. Note that event ID 5140 is logged every time a user connects to a share.
When you enable auditing for the File Share subcategory, you enable logging for all four events at once. There's no way to configure Windows to produce events just for the three share change events and not for the share access events.