I have written the following relevance, and it works, but I have been asked to also provide the username that last changed the file. I don’t know how to query the system to provide either the userid of the logged on user that changed the file or if it was the system changing the file ie: log files.
((pathname of it & " ( " & modification time of it as string & " )") of files whose (modification time of it > now - 24*hour and ((name of it != "gpt.ini") and (name of it as lowercase does not end with ".log"))) of (folder it; descendant folders of folder it) whose (pathname of it does not start with "C:\Windows\system32\CCM") of (pathname of system folder; "c:\inetpub"; "e:\inetpub"; "c:\windows\sysvol"; "e:\windows\sysvol") whose (exists folder it))
Thank you very much for your response, I would be running this against 1500+ desktop and 30+ servers. I would only run it once a day and I have cleaned up
my relevance to limit the files I am looking for, but if it is going to do that much work, I will probably just avoid that part. Have included my cleaned up code.
((pathname of it &
" ( " & modification time of it as string &
" )") of files whose (modification time of it > now - 24*day and ((name of it as lowercase ends with
".exe") or (name of it as lowercase ends with
".sys") or (name of it as lowercase ends with
".dll") or (name of it as lowercase ends with
".ocx"))) of (system folder; descendant folders of system folder)) ; ((pathname of it &
" ( " & modification time of it as string &
" )") of files whose (modification time of it > now - 24*hour) of (folder it; descendant folders of folder it) of (
"c:\inetpub";
"e:\inetpub";
"c:\windows\sysvol";
"e:\windows\sysvol") whose (exists folder it)); ((pathname of it &
" ( " & modification time of it as string &
" )") of files whose (modification time of it > now - 24*hour and ((name of it as lowercase =
"machine.config"))) of (folder it; descendant folders of folder it) of (
"c:\windows\microsoft.net";
"") whose (exists folder it))
(pathname of it, owner of security descriptor of it, creation time of it) of it of files whose (now - modification time of it < 24*day and ((name of it as lowercase ends with “.exe”) or (name of it as lowercase ends with “.sys”) or (name of it as lowercase ends with “.dll”) or (name of it as lowercase ends with “.ocx”))) of (system x64 folder; descendant folders of system x64 folder)
You can add your other part to it, but this will give you what BF can… you can also use ‘creation time’ and ‘accessed time’ also specify x64 to get them all. You can only see an administrator did it, trusted installer or system, not the user itself as their isn’t anything I am aware to do that.
Turn on AUDIT PRIVILEDGE USE and auditing for CREATE only for the directories and subs you want to monitor and pull it from the logs.
depending how many files are on the systems your running this relevance on, it could