Event viewer

[Guest]

Hi:
Is there anyway to not only set up a event viewer audit, but to find out how
long a file was opened, most of the files in question are video and audio
files?

 

[Steven L Umbach]

If you look deep enough at the object access events recorded in the security
log, particularly Event ID's 560 and 562 as timestamped pairs you might be
able to get an idea how long a file was opened. Pouring through all the
object access events can get tedious but the more you do it the better you
will get at it. If possible audit ONLY files that you need to instead of all
files in a folder and audit only those permissions you need to ge the job
done. --- Steve

 

[Guest]

As for auditing Event Viewer access, try the following:
1. Make sure that you have Object and File Access auditing enabled
2. in %windir%\system32, Right-click the eventvwr.exe file, choose
Properties, click the Security tab, advanced button, then set auditing
parameters.
3. Do the same thing with eventvwr.msc file

 

[Karl Levinson, mvp]

For enabling file auditing:

http://securityadmin.info/faq.asp#auditing

 

[Guest]

Hi: Thanks for the help, however I am still confused how to read it. I use
another program that views the "History" files. The confusion is this, the
event viewer will have many consecutive entries for the same file, while the
other program shopws the file being open and nothing else happening until
another files is opened. So the even viewer may show a particular file being
opened and close with in seconds, while the other program shows the same file
being opened for a much longer period of time. I think I need more help.