February 16, 2024

How To Detect File Changes in Windows Server

The Importance of Monitoring File Changes

Monitoring file changes are important especially for files or folders that are not anticipated to have changes outside of certain parameters. Detecting file changes can assist in identifying if malicious actors have been able to modify or delete files of interest. For example, file changes can inform you if a malicious actor has copied malware to a file directory or if an inside threat actor has deleted files that they are not supposed to. The below process will work with your modern Windows operating system regardless of if it is a server or workstation.

How to enable the necessary group policies

Before we begin, we need to ensure that the necessary group policies are configured so that we can conduct this level of auditing. To do this will need to open the Group Policy Editor and follow the below two steps.

1. Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy. When in Audit Policy select “Audit object access” properties and check the Success checkbox and then apply.

Windows Audit Object Access policy configuration

2. Navigate to Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Access. When in Object Access open the properties for both “Audit File System” and “Audit Handle Manipulation”. Check the Success checkbox for each and then apply.

“Audit File System” and “Audit Handle Manipulation”

How To Detect File Changes

1. On the folder or file that you want to configure auditing for, right click and select Properties and then navigate to the Security tab. Now select Advanced.

Windows folder properties Security tab with Advanced button

2. Within Advanced navigate to the Auditing tab > Continue > Add.

Advanced Security Settings auditing configuration dialog

3. Within the Auditing Entry click “Select a principal” and enter “Everyone” as the object name, in order to track changes if done by any user, then click OK.

If you only want to audit changes for certain users or groups you can list them under “Enter the object name to select” instead of the “Everyone” object.

Auditing Entry principal selection dialog

4. In order to track when a file or folder is deleted check the checkboxes for “Delete subfolders and files” and “Delete”. If you would like to track other changes, for instance, you can add “Write” permissions to track when a write has occurred. There are also other permissions that can be configured to audit their corresponding activity. After reviewing the below notes click OK to apply.

Here are a few things to take note of during this step:

If you would only like to know when a file or folder has been deleted you can uncheck all boxes except the two delete checkboxes.
The checkbox “Only apply these auditing settings to object and/or containers within this container” if left unchecked this will overwrite the permissions of the files and folders contained in the folder with all permissions of the files and folders within it so if left unchecked the audit settings you configure for this folder will propagate to the sub files and folders.
The drop down for “Applies to” is only applicable when auditing folders. If you are creating this audit entry for a single file you can ignore this dropdown in the below screenshot.
If “This folder, subfolder, and files” is selected, this will inform you when a file with the folder is deleted even if the file that was deleted was a new file that was created after this configuration process took place. This also applies to subdirectories that are present or that will be created.
The security log is limited in size so you will want to be mindful of what files and folders are being audited as well as the number of them. If the security event log runs out of space, older logs will be overwritten. Although the maximum size of the security event log can be expanded.

Audit scope set to This folder, subfolders and files

5. Now that the Auditing Entry has been configured it will appear under Auditing Entries. You can click Apply and OK. Auditing entries applied successfully confirmation

6. Now you can delete a test file or folder. This action will generate a 4663 event.

Windows Event 4663 showing file access audit log entry

Here is some useful information that you will want to review in the above example 4663 event:

Account Name: This will provide you the user that took the action.
Object Name: Will be the filename or folder name of the object that the action was taken on. This will also provide you with the path to that file or folder.
Access: This will show you the action that took place.
Event ID: If you are monitoring for a file or folder being deleted, a 4663 event will be generated for each single file and folder that was deleted.
- As an example there will be multiple 4663 events, one for each txt file, if there was a folder that was deleted which contained multiple txt files.
- The subdirectories and files within the folder that was deleted will only create a 4663 event if the dropdown for “This folder, subfolder, and files” was previously configured which we discussed in step 4.
Computer: Will show you the device name that this action took place on.

Detecting File Changes With Blumira

Once the above process has been completed, you can use Blumira to view these events by using the Report Builder feature within the Blumira app to create a report that provides the logs that were created for this activity by searching for 4663 events and selecting the columns that you want to view. Blumira also can facilitate the creation of a custom detection which can generate notifications within the Blumira app to alert you when these file system changes take place.

Frequently Asked Questions

Which Windows audit policy settings detect file changes on a server?

You need two things configured, and missing either one is the most common reason file auditing does not work. First, enable the audit policy: go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access and enable "Audit File System" for both Success and Failure. Second, apply a System Access Control List (SACL) to the specific folder you want to monitor. Right-click the folder > Properties > Security > Advanced > Auditing, then add an entry specifying which principals (usually "Everyone" or a specific group) and which operations (Write, Delete, Change Permissions) to audit. The audit policy tells Windows to generate file audit events. The SACL tells Windows which folders and operations to actually track. Without the SACL, the audit policy does nothing. Without the audit policy, the SACL is ignored.

What Windows Event IDs indicate file changes?

Event ID 4663 is the primary event for tracking file modifications. It fires when a process accesses an object with specific permissions, and the "Accesses" field tells you what happened: WriteData or AddFile means a file was written or created, AppendData means data was appended, DELETE means the file was removed, and WRITE_DAC or WRITE_OWNER means permissions were changed. Event 4656 logs the initial handle request (useful for seeing who opened the file), Event 4658 logs the handle close, and Event 4660 specifically logs object deletion. For practical monitoring, filter on Event 4663 with WriteData, AppendData, or DELETE in the Accesses field. This captures modifications and deletions while ignoring read-only access that would flood your logs.

How do I monitor file changes without flooding the security log?

Be precise with your SACLs. Do not audit "Everyone" on the entire C:\ drive. Instead, target the specific directories that matter: web server document roots, application configuration folders, scheduled task directories (C:\Windows\System32\Tasks), startup folders, and any directory containing sensitive business data. Audit only write and delete operations, not reads. Exclude service accounts that make routine, expected changes (like backup agents or antivirus updating definition files) by specifying user groups in the SACL rather than "Everyone." Set the Security event log maximum size to at least 1 GB and configure archival to prevent events from being overwritten before your log collector picks them up.

What is the difference between NTFS auditing and file integrity monitoring?

NTFS auditing (what Windows provides natively through audit policies and SACLs) answers the question "WHO did WHAT to this file and WHEN." It logs the user account, process, operation type, and timestamp. File integrity monitoring (FIM) answers a different question: "WHAT CHANGED inside this file." FIM tools calculate checksums or hashes of monitored files and compare them over time, detecting when file contents change regardless of who made the change. NTFS auditing tells you "jsmith.exe wrote to web.config at 3:14 AM." FIM tells you "the connectionString value in web.config changed from X to Y." For security, both have value. NTFS auditing catches who is touching files they should not be touching. FIM catches content changes that matter, like a modified system binary or altered configuration.

Can I detect ransomware through Windows file change monitoring?

Yes, and the detection pattern is distinctive. Ransomware generates massive spikes in Event 4663 (file modification) and Event 4660 (file deletion) in rapid succession, often thousands of events per minute from a single user account or process. The events typically show unusual file extension changes (original files being renamed to .encrypted, .locked, or random extensions) and activity spanning many directories in a short window. Ransomware also creates new files (the encrypted copies and ransom notes) that trigger Event 4663 with AddFile access. A SIEM that baselines normal file activity volumes can alert on the spike pattern within the first few minutes of encryption. The key is having that baseline in place before an incident, because without knowing what "normal" looks like, you cannot reliably detect the anomaly.

Tag(s): Security How-To , Blog , Microsoft Security