Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Who deleted the file? - Part II

Status
Not open for further replies.

IlyaRabyy

Programmer
Nov 9, 2010
571
US
Colleagues,

As stated in the original "Who deleted the file - HOW-TO" thread
([URL unfurl="true"]https://www.tek-tips.com/viewthread.cfm?qid=1829113[/url])
the work is half-done, that is the code reporting the change, appearance and disappearance of a file is working.
However!
The question "Who's done it?" still remains unanswered:

Code:
eventLogEntry.ReplacementStrings(1)

returns the name of the computer (WS or network box), e.g. like ".XML was deleted by xxxxxxxxxxxxZZPB$". (Apologies, had to "redact" the computer name, our Cybersecurity's watching! :) )

I was thinking: it seems (to yours truly, at least) that Task Manager shows the User/Entity that runs this or that process:

2024-03-28_Who_Runs_What_in_Task_Manager_fx2vs1.jpg


So, is there something that is able to tell the name of the entity (User or a Program) that created/modified/deleted a file?

AHWBGA!

Regards,

Ilya
 
>returns the name of the computer (WS or network box),

And I briefly explained why. The event that you are auditing is caused by a service account, and the short name used in the event log for that is the name of the PC/Server that invoked the service.
However, if you really want to drill down to the service account name, then add the following function to the code I previously provided

Code:
[COLOR=blue]Private Function LookupSID(SIDString As String) As String
    LookupSID = New SecurityIdentifier(SIDString).Translate(GetType(NTAccount)).ToString
End Function[/color]

And then change

Code:
[COLOR=blue]whodidit = " by " & eventLogEntry.ReplacementStrings(1) & " at " & eventLogEntry.TimeGenerated.ToString & " via " & eventLogEntry.ReplacementStrings(11)[/color]

to

Code:
[COLOR=blue]whodidit = "by " & LookupSID(eventLogEntry.ReplacementStrings(0)) & " at " & eventLogEntry.TimeGenerated.ToString & " via " & eventLogEntry.ReplacementStrings(11)[/color]

But I am not sure you'll feel any more enlightened
 
StrongM said:
I am not sure you'll feel any more enlightened

And you were right, StrongM: this code you've provided invariably returns "NT AUTHORITY\SYSTEM" instead of the "perpetrator's" User Name...
I deleted couple files in a designated directory on a network share, and asked my coworker to log into the same share and also delete couple files there - in both cases the User Name was the same mentioned above.
It seems to me (after some research) that GetType(NTAccount) in the code you've provided returns exactly that: the type of the User access privileges, not the User Name.

And I need that latter.

I did some search on MS Learn - no useful (for yours truly) information was found...

Thus, the question remains: how do I, the Program, get the User Name of the user, or entity, that created/modified/deleted a file in a monitored directory?

Regards,

Ilya
 
>It seems to me (after some research) that GetType(NTAccount) in the code you've provided returns exactly that: the type of the User access privileges

Nope. What it is doing is telling the Translate method how to translate the SID.

>not the User Name
It IS a username, just one of the built-in ones, as I briefly explained in your other thread. For whatever reason, the OS thinks NT AUTHORITY\SYSTEM is the user doing the deleting. Why it thinks that I can't say.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top