How to Monitor Windows Files and Which Tools to Use

Any desktop environment is bound to contain many files and folders, and many are related to the underlying operating system, but some come from applications, user data, and other sources.

IT administrators looking for a positive UX for Windows desktop users should monitor some if not all Windows files and folders.

Why monitor Windows files and folders?

There are many good reasons to monitor the Windows file system on modern PCs. The main reasons for monitoring are:

  1. Security

    Certain parts of the file system, especially those related to account data, permissions, and operating system controls, should never be “touched” by IT except on rare occasions. IT can use programs such as TrustedInstaller to handle these sensitive files carefully. View Microsoft security credentials document for more details.

  2. Audit and Accountability

    When the use of high-level privileges and accounts is required, many organizations carefully monitor these files and associated changes. Organizations should track changes to key files and folders, looking for anything out of the ordinary or suspicious. It is also a safety requirement and monitoring in this way is required in some industries.

  3. User activity

    Organizations should track general file and folder usage, especially with timestamp information that is invariably included. This information provides a detailed inventory of what users are doing with which files and folders, and when these activities occur.

For the two current versions of Windows (Windows 10 and Windows 11), administrators can turn to Group Policy Management as an audit policy tool.

Monitoring and filtering go hand in hand

Due to the volume of file system activity inherent in an enterprise Windows setting, it is rarely a good idea to monitor all activity all the time. Normally all monitoring will focus on specific folders in Windows file system hierarchy to limit the scope and volume of resulting monitoring data that monitoring tools collect and store.

For example, security monitors will focus on activity in specific Windows file folders that they know would be the target of hacking attempts. A good example of such important files are the File Explorer options control panel files which provide special functionality such as:

  • Hidden files and folders. These include BitLockerComment elements, installation files and components.
  • Protected operating system files. These include many items in the C:Windows folder hierarchy.
  • Protected aspects of the application hierarchy. These include C:Program Files, C:Program Files (x86) and C:ProgramData — which is also a hidden folder.
  • Specifically hidden system folders. These include names that often begin with a dollar sign ($), which hides them from display unless the user activates Show hidden files and folders in File Explorer options.

Built-in file and folder monitoring in Windows 10 and 11

For the two current versions of Windows (Windows 10 and Windows 11), administrators can turn to Group Policy Management as an audit policy tool. Microsoft includes a detailed tutorial on how to monitor central access policies associated with files and folders in its Documentation. It describes how administrators can use domain controller-based policy settings to configure various file and folder-related audit events for entire domains. IT can apply them on a file or folder basis where folder audits can cover all files and subfolders within them. This provides global coverage for all PCs and users.

On the other hand, the IT department can also audit files or folders locally. This is possible through File Explorer in the Properties window for a given file or folder through the Advanced Permissions and Auditing tab (Figure 1).

Audit controls available through advanced permissions in Windows File Explorer.
Figure 1. Audit controls available for local files and folders through File Explorer properties.

The problem with such an audit is the amount of time and effort required to set it up and analyze the data it produces. This is why many administrators turn to third-party tools for such tasks.

File activity monitoring tools

IT organizations should take a security-centric approach to monitoring activity. Prevent unauthorized users from accessing or exfiltrate sensitive data or key files is a proven approach to preventing the theft, loss or unwanted disclosure of data. Consider this short list of tools suitable for enterprise use cases based on their feature sets:

  1. SolarWinds Server and Application Monitor

    This server management software offers file tracking capabilities and provides real-time statistics on individual device files, folders, and drives.

  2. Site24x7 file and directory monitoring

    A cloud-based monitoring service that covers file and storage activity for servers under its control. It also includes additional protection for sensitive data stores.

  3. ManageEngine DataSecurity Plus

    This provides comprehensive file server auditing with very granular activity reporting as well as data leak prevention, data risk assessments, file scans and more.

  4. LANGuardian

    An in-depth network traffic inspection service that includes features to monitor file access and usage on the network. It includes custom user activity monitoring capabilities.

  5. PA file view

    An in-depth file and folder access auditing tool that also offers ransomware protection, data loss prevention, and reliable application configuration and controls.

Some administrators may need tools that specifically monitor file access and activity on local user PCs. They will probably want to find different tools to help them in these scenarios. There are several freeware cases of these types of tools, including the following:

  1. Watch 4 Folder

    It provides real-time information about file system actions, including creating, deleting, renaming, and changing files or folders; file associations, which correspond to specific application extensions; and the use of external storage devices.

  2. TheSpyDossier

    It offers real-time monitoring of multiple designated folders in a compact executable with the ability to track creation and deletion; attribute changes; access dates and file size changes. Administrators could even track files by extension type. Email event alert is also included.

  3. Folder Monitor

    This provides cover for typical file and folder events with the ability to trigger defensive and reporting actions when specific changes are detected.

  4. ViewChangesFolder

    This tool can monitor files, folders and entire drives in real time with event triggers. It can also launch batch files or scripts in response to triggers with periodic log file recordings.

  5. TrackFolderChanges

    A portable tool with limited but capable monitoring of files and folders, including file or folder creation, modification and deletion operations. It automatically tracks the default Windows C: drive with color coding to report changes and activity.

Dig deeper into Windows operating system and management

Comments are closed.