How to monitor Windows files and which tools to use
Monitoring files on Windows systems is critical to detect suspicious activities, but there are so many files and folders to keep track of. This is where automation tools come in.
Any desktop environment is bound to have lots of files and folders, and many are related to the underlying operating system, but some come from applications, user data and other sources.
IT administrators who seek a positive UX for Windows desktop users should monitor some if not all of the Windows files and folders.
Why monitor Windows files and folders?
There are many good reasons to monitor the Windows file system on modern PCs. The leading reasons for monitoring include the following:
Certain parts of the file system -- especially those related to account data, OS permissions and controls -- should never be "touched" by IT except for on rare occasions. IT can use programs such as TrustedInstaller to handle these sensitive files carefully. See Microsoft's security identifiers document for more details.
Auditing and accountability
When the use of high-level privileges and accounts is required, many organizations monitor such files and related changes carefully. Organizations should keep track of changes that occur to key files and folders, looking for anything out of the ordinary or suspicious. This is also somewhat of a security requirement and monitoring in this fashion is required in some industries.
Organizations should track the general use of files and folders, especially with the timestamping information that's invariably included. This information provides a detailed inventory of what users are doing with which files and folders, and when such activities occur.
Monitoring and filtering go hand in hand
Because of the volume of file system activity inherent in an enterprise Windows setting, it seldom makes sense to monitor all activities all the time. Normally, any monitoring will focus on specific folders in the Windows file system hierarchy to limit the scope and volume of the resulting monitoring data that monitoring tools collect and store.
For example, security monitors will focus on activities within specific Windows files folders that they know would be the target of hacking attempts. A good example of these important files is the File Explorer Options' Control Panel files that provides special functionality such as:
- Hidden files and folders. These include BitLocker elements, installer files and components.
- Protected operating system files. These include many elements within the C:\Windows folder hierarchy.
- Protected aspects of the application hierarchy. These include C:\Program Files, C:\Program Files (x86) and C:\ProgramData -- which is also a hidden folder.
- Specifically hidden system folders. These include names that often start with a dollar sign ($), which hides them from display unless the user turns on Show hidden files and folders in the File Explorer options.
Built-in File and Folder Monitoring in Windows 10 and 11
For both current versions of Windows -- Windows 10 and Windows 11 -- administrators can turn to Group Policy Management as an audit policy tool. Microsoft includes a detailed tutorial on how to monitor the central access policies associated with files and folders in its documentation. It describes how administrators can use domain controller-based policy settings to configure various audit events related to files and folders for entire domains. IT can apply these on a file or folder basis where folder audits can cover all the files and subfolders they contained. This provides across the board blanket coverage for all PCs and users.
On the other hand, IT can also audit files or folders at the local level. This is possible through File Explorer in the Properties window for a given file or folder through Advanced permissions and the auditing tab view (Figure 1).
The problem with such auditing is the amount of time and effort involved in setting it up and analyzing the data it produces. This is why many administrators turn to third-party tools for such tasks.
File activity monitoring tools
IT organizations should take a security-minded approach to monitoring activity. Preventing unauthorized users from accessing or exfiltrating sensitive data or key files is a proven approach to prevent theft, loss or unwanted disclosure of data. Consider this short list of tools that are suitable for enterprise use cases based on their feature sets:
SolarWinds Server & Application Monitor
This server management software offers file tracking capabilities and delivers real-time statistics about individual files, folders and device drives.
Site24x7 File and Directory Monitoring
A cloud-based monitor service that covers file and storage activity for servers under its purview. It also includes extra protection for sensitive data stores.
ManageEngine DataSecurity Plus
This provides complete file server auditing with highly granular activity reports along with data leak prevention, data risk assessments, file analyses and more.
A deep-packet network traffic inspection service that includes facilities to monitor file access and use across the network. It includes custom-built user activity monitoring capabilities.
PA File Sight
An in-depth file and folder access auditing tool that also offers ransomware protection, data loss prevention and trusted application configuration and controls.
Some administrators might need tools that more specifically monitor file access and activity on local user PCs. They will likely want to find different tools to help in these scenarios. There are several freeware cases of these types of tools, including the following:
Watch 4 Folder
It provides real-time information about file system actions that include file or folder create, delete, rename and change; file associations, which match extensions to specific applications; and the use of external storage devices.
It offers real-time monitoring of multiple designated folders in a compact executable with the ability to track creation and deletion; attribute changes; access dates and file size changes. Administrators could even track files by extension type. Email event alerting is also included.
This provides coverage for typical file and folder events with the ability to trigger defensive and reporting actions when specific changes are detected.
This tool can monitor files, folders and entire drives in real time with event triggers. It can also launch command files or scripts in response to triggers with periodic log file saves.
A portable tool with limited but capable file and folder monitoring, including file or folder create, modify and delete operations. It automatically tracks Windows C: drive by default with color-coding to flag changes and activity.