Tracking Rename using Event ID 567 Expand / Collapse
Author
Message
Posted 7/1/2011 1:17:23 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 7/1/2011 1:12:01 PM
Posts: 1, Visits: 0
I am tracking the Event Logs by registering for notification via WMI. I am developing a Auditing tool which needs to report various actions on a file including rename. As I understand, 'File Rename' is implemented as Event ID 567 with Access Delete. But then 'File Delete' is implemented as Event ID 567 with Access Delete and later an Event ID 564. So when a notification is received via WMI for Event ID 567 with Access 'Delete', how do I know if its for a 'File Rename' or a 'File Delete' ? Will checking the Access Permissions of the file when it was opened (using the Handle ID and checking previous Event ID 560) help?
Post #748
Posted 7/8/2011 11:06:31 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
you can't definitively distinguish rename events from the security log.  i suggest hooking into NTFS change notifications
Post #758
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 9:30pm