An Easy Way To Check If Your Files Have Been Accessed By Someone Else (2024)

Windows logs a lot of actions on your computer. We normal users just have to enable it first. If you keep very important files, or if you have a business and you keep trade secrets on your computer or server, you may want to have accountability who accesses grandma's original secret recipe that keep your bakery flush with returning customers.

This tutorial will walk you through the process. Take note this machine is Windows 8 but the process is very similar to Windows 10.

Enable enable auditing of the file system.

1. Click Start -> Administrative Tools -> Windows Security
2. Expand Local Policy -> Audit Policy -> Audit File System
3. Enable auditing with both a successful and unsuccessful file access

The next part is to enable auditing of the file (or files) considered secret. There is a video showing the entire process below this outline.

1. From Explorer or File Manager, find the file you want to monitor.
2. Right click -> Select Properties
3. Click the Security tab -> Auditing -> Add
4. You will want to identify who we need to watch out for, and in this example, it will be everyone.
5. Enter everyone. Click Check Names. Everyone will be underlined meaning Windows identified an account or a group that matches what you mean.
6. Select All, or just the successful file access if you wish. Then click OK. This process is done.

The next video will show how it would look from the hacker thief. This example uses a Linux distribution developed primarily for penetration testing. The video starts right before a hacker compromises your Windows machine. The bad guy gets in successfully, logs in an account that exists in your computer and can proceed to look around what you have. Once the malicious actor finds you file he or she can exfiltrate it.

In this example, the bad guy found a file named plans-TOP-SECRET-ONLY-atomic-diarrhea.pdf and proceeded to download a copy of it.

The second part of the next video will show how enabling file system auditing on windows will show these actions on Event Viewer. The quickest way to find Event Viewer is to search for it on your Windows Search bar.

1. Click Windows Logs -> Security -> Look for Event 4663.

According to Microsoft, Event 4663 is their code every time a user or a group accesses an object (a file is an object.) These entries will provide with more details such as when it happened, which user did it, and other information.

If you have a remote server or machine, Windows can also forward these events or logs. There are scripts available or you can create one so you'll get real-time alert while this is happening.