CODEWITHSUNDEEP
c#filesystemwatcher
Ash
Ash

Reputation: 62096

Which user caused FileSystemWatcher events?

For example, I can catch the Delete event for various files in a folder tree, but how would I go about determining which user caused the delete to happen?

I couldn't find anything obvious in the MSDN documentation for FileSystemWatcher, so maybe it is just not possible. I'd be curious if there is a solution however.

Upvotes: 2

Views: 4106

Answers (3)

Ignacio Calvo
Ignacio Calvo

Reputation: 834

It is possible using Folder Auditing (folder Properties > Security > Advanced Options > Auditing) and then looking up the Security Event Log after the FileSystemWatcher event fires.

string GetUser(string path) {
    object nowDate = Now;
    GetUser = "Unknown";
    Threading.Thread.Sleep(1000);
    // # Search user in the security event log
    object secLog = new EventLog("Security", EVENTLOGSERVER);
    EventLogEntry entry;
    for (int i = (secLog.Entries.Count - 1); (i <= Math.Max((secLog.Entries.Count - 1500), 0)); i = (i + -1)) {
        entry = secLog.Entries(i);
        if (IsValidEntry(path, nowDate, entry)) {
            GetUser = entry.ReplacementStrings(11);
            break;
        }
    }
}

bool IsValidEntry(string path, DateTime nowDate, EventLogEntry entry) {
    return ((entry.EntryType == EventLogEntryType.SuccessAudit) 
        && ((entry.InstanceId == 560) || (entry.InstanceId == 564)) 
        && !entry.UserName.EndsWith("SYSTEM")
        && (Math.Abs(nowDate.Subtract(entry.TimeGenerated).TotalSeconds <= 20) 
        && (entry.ReplacementStrings.GetUpperBound(0) >= 11) 
        && (entry.ReplacementStrings(2).Length >= 4) 
        && path.EndsWith(entry.ReplacementStrings(2).Substring(4)));
}

Upvotes: 4

Ren&#233;
Ren&#233;

Reputation: 10090

It doesn't seem like there's any functionality built into .NET that can help you with that, but with the help of the function NetFileGetInfo in Netapi32.dll, it should be possible.

Take a look at this thread where the user dave4dl has posted a code sample that shows how to do it.

Upvotes: 1

Scott Dorman
Scott Dorman

Reputation: 42516

This isn't currently possible with the current implementations of the FileSystemWatcher as it does not receive this type of information when a file is deleted, or anything about a file changes.

Upvotes: 4

Related Questions