Powershell – Get file audit reports from Event Viewer

Posted: March 24, 2023 in Scripts

I had task to check who and when is accessing file shares

First step was to enable folder/files audit

Then i should pull reports out of Event Viewer

Needed to get reports only for subset of shared folders and needed to exclude specific accounts from it

Below script returns time, folder being accessed and account who accessed it.

$EventId = 4663
$results = Get-WinEvent -FilterHashtable @{logname='Security'; id=$EventId; StartTime = "03/24/2023 09:30:00" } |`
Where-Object { $_.message -match "C:\\folder1\\" -or $_.message -match "D:\\folder2" -or $_.message -match "D:\\folder3" -and $_.message -notmatch "Account Name:\s*account1*" -and $_.message -notmatch "Account Name:\s*machine$*"}`
| Select-Object -Property TimeCreated, 
                            @{Label='Account'; Expression={$_.properties[1].Value}}, 
                            @{Label='ObjectName'; Expression={$_.properties[6].Value}}

$results | Export-Csv "C:\1.csv" -NoTypeInformation -Encoding UTF8

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s