How to use C# to determine which account modified a file in shared folder

I am 开发者_开发百科trying to determine which user account is used to modify files in a shared folder using C#.

It is ok if the program runs on the computer that has the shared folder.

---

There are two options I can think of to determine what account modified a file:

1. Auditing: If you enable auditing (via local security policy), you can set the shared folder to audit successful write accesses. This will tell you what users opened the files for write access, not those who actually performed writes. Then from any computer you can monitor the security log on the computer with the shared folder and see what users had write access to those files.

2. Process monitoring: You can run ProcMon on the computer with the shared folders and have it write its log to a file. Then you can periodically check the log for actual writes to your files. Note that this will tell you what process did the write and what user that process was running under, but not necessarily what user the process was impersonating at the time.

3. Combination: In order to know what user performed actual writes, you may have to combine the audit logs and process monitoring logs to see what user the writing thread was impersonating at the time of the write.

---

You should create a Windows Service that contains a FileSystemWatcher. From here you may be able to determine which user modified the file that raised the OnChanged event

watcher.Changed += new FileSystemEventHandler(OnChanged);

private static void OnChanged(object source, FileSystemEventArgs e)
{
    // Specify what is done when a file is changed, created, or deleted.
    Console.WriteLine("File: " +  e.FullPath + " " + e.ChangeType);
}

---

FileSystemWatcher

Listens to the file system change notifications and raises events when a directory, or file in a directory, changes.