How to monitor Windows files and which tools to use

Why monitor Windows files and folders?

There are many good reasons to monitor the Windows file system on modern PCs. The leading reasons for monitoring include the following:

1. Security

   Certain parts of the file system -- especially those related to account data, OS permissions and controls -- should never be "touched" by IT except for on rare occasions. IT can use programs such as TrustedInstaller to handle these sensitive files carefully. See Microsoft's security identifiers document for more details.

2. Auditing and accountability

   When the use of high-level privileges and accounts is required, many organizations monitor such files and related changes carefully. Organizations should keep track of changes that occur to key files and folders, looking for anything out of the ordinary or suspicious. This is also somewhat of a security requirement and monitoring in this fashion is required in some industries.

3. User activity

   Organizations should track the general use of files and folders, especially with the timestamping information that's invariably included. This information provides a detailed inventory of what users are doing with which files and folders, and when such activities occur.

For both current versions of Windows -- Windows 10 and Windows 11 -- administrators can turn to Group Policy Management as an audit policy tool.

Monitoring and filtering go hand in hand

Because of the volume of file system activity inherent in an enterprise Windows setting, it seldom makes sense to monitor all activities all the time. Normally, any monitoring will focus on specific folders in the Windows file system hierarchy to limit the scope and volume of the resulting monitoring data that monitoring tools collect and store.

For example, security monitors will focus on activities within specific Windows files folders that they know would be the target of hacking attempts. A good example of these important files is the File Explorer Options' Control Panel files that provides special functionality such as:

• Hidden files and folders. These include BitLocker elements, installer files and components.
• Protected operating system files. These include many elements within the C:\Windows folder hierarchy.
• Protected aspects of the application hierarchy. These include C:\Program Files, C:\Program Files (X86) and C:\ProgramData -- which is also a hidden folder.
• Specifically hidden system folders. These include names that often start with a dollar sign ($), which hides them from display unless the user turns on Show hidden files and folders in the File Explorer options.

Built-in File and Folder Monitoring in Windows 10 and 11

For both current versions of Windows -- Windows 10 and Windows 11 -- administrators can turn to Group Policy Management as an audit policy tool. Microsoft includes a detailed tutorial on how to monitor the central access policies associated with files and folders in its documentation. It describes how administrators can use domain controller-based policy settings to configure various audit events related to files and folders for entire domains. IT can apply these on a file or folder basis where folder audits can cover all the files and subfolders they contained. This provides across the board blanket coverage for all PCs and users.

On the other hand, IT can also audit files or folders at the local level. This is possible through File Explorer in the Properties window for a given file or folder through Advanced permissions and the auditing tab view (Figure 1).

The problem with such auditing is the amount of time and effort involved in setting it up and analyzing the data it produces. This is why many administrators turn to third-party tools for such tasks.

File activity monitoring tools

IT organizations should take a security-minded approach to monitoring activity. Preventing unauthorized users from accessing or exfiltrating sensitive data or key files is a proven approach to prevent theft, loss or unwanted disclosure of data. Consider this short list of tools that are suitable for enterprise use cases based on their feature sets:

1. SolarWinds Server & Application Monitor

   This server management software offers file tracking capabilities and delivers real-time statistics about individual files, folders and device drives.

2. Site24x7 File and Directory Monitoring

   A cloud-based monitor service that covers file and storage activity for servers under its purview. It also includes extra protection for sensitive data stores.

3. ManageEngine DataSecurity Plus

   This provides complete file server auditing with highly granular activity reports along with data leak prevention, data risk assessments, file analyses and more.

4. LANGuardian

   A deep-packet network traffic inspection service that includes facilities to monitor file access and use across the network. It includes custom-built user activity monitoring capabilities.

5. PA File Sight

   An in-depth file and folder access auditing tool that also offers ransomware protection, data loss prevention and trusted application configuration and controls.

Some administrators might need tools that more specifically monitor file access and activity on local user PCs. They will likely want to find different tools to help in these scenarios. There are several freeware cases of these types of tools, including the following:

1. Watch 4 Folder

   It provides real-time information about file system actions that include file or folder create, delete, rename and change; file associations, which match extensions to specific applications; and the use of external storage devices.

2. TheFolderSpy

   It offers real-time monitoring of multiple designated folders in a compact executable with the ability to track creation and deletion; attribute changes; access dates and file size changes. Administrators could even track files by extension type. Email event alerting is also included.

3. FolderMonitor

   This provides coverage for typical file and folder events with the ability to trigger defensive and reporting actions when specific changes are detected.

4. FolderChangesView

   This tool can monitor files, folders and entire drives in real time with event triggers. It can also launch command files or scripts in response to triggers with periodic log file saves.

5. TrackFolderChanges

   A portable tool with limited but capable file and folder monitoring, including file or folder create, modify and delete operations. It automatically tracks Windows C: drive by default with color-coding to flag changes and activity.