Who deleted the file? - Part II

[IlyaRabyy]

Colleagues,

As stated in the original "Who deleted the file - HOW-TO" thread
([URL unfurl="true"]https://www.tek-tips.com/viewthread.cfm?qid=1829113[/url])
the work is half-done, that is the code reporting the change, appearance and disappearance of a file is working.
However!
The question "Who's done it?" still remains unanswered:

eventLogEntry.ReplacementStrings(1)

returns the name of the computer (WS or network box), e.g. like ".XML was deleted by xxxxxxxxxxxxZZPB$". (Apologies, had to "redact" the computer name, our Cybersecurity's watching! )

I was thinking: it seems (to yours truly, at least) that Task Manager shows the User/Entity that runs this or that process:

So, is there something that is able to tell the name of the entity (User or a Program) that created/modified/deleted a file?

AHWBGA!

Regards,

Ilya

 

[strongm]

>returns the name of the computer (WS or network box),

And I briefly explained why. The event that you are auditing is caused by a service account, and the short name used in the event log for that is the name of the PC/Server that invoked the service.
However, if you really want to drill down to the service account name, then add the following function to the code I previously provided

[COLOR=blue]Private Function LookupSID(SIDString As String) As String
    LookupSID = New SecurityIdentifier(SIDString).Translate(GetType(NTAccount)).ToString
End Function[/color]

And then change

[COLOR=blue]whodidit = " by " & eventLogEntry.ReplacementStrings(1) & " at " & eventLogEntry.TimeGenerated.ToString & " via " & eventLogEntry.ReplacementStrings(11)[/color]

to

[COLOR=blue]whodidit = "by " & LookupSID(eventLogEntry.ReplacementStrings(0)) & " at " & eventLogEntry.TimeGenerated.ToString & " via " & eventLogEntry.ReplacementStrings(11)[/color]

But I am not sure you'll feel any more enlightened

 

[IlyaRabyy]

I am not sure you'll feel any more enlightened

And you were right, StrongM: this code you've provided invariably returns "NT AUTHORITY\SYSTEM" instead of the "perpetrator's" User Name...
I deleted couple files in a designated directory on a network share, and asked my coworker to log into the same share and also delete couple files there - in both cases the User Name was the same mentioned above.
It seems to me (after some research) that GetType(NTAccount) in the code you've provided returns exactly that: the type of the User access privileges, not the User Name.

And I need that latter.

I did some search on MS Learn - no useful (for yours truly) information was found...

Thus, the question remains: how do I, the Program, get the User Name of the user, or entity, that created/modified/deleted a file in a monitored directory?

Regards,

Ilya

 

[strongm]

>It seems to me (after some research) that GetType(NTAccount) in the code you've provided returns exactly that: the type of the User access privileges

Nope. What it is doing is telling the Translate method how to translate the SID.

>not the User Name
It IS a username, just one of the built-in ones, as I briefly explained in your other thread. For whatever reason, the OS thinks NT AUTHORITY\SYSTEM is the user doing the deleting. Why it thinks that I can't say.