Auditing File Share access

Say you’ve been tasked with cleaning up an old and poorly-maintained file server and need to figure out which network shares see lots of use and which ones little to none. While Windows provides totally adequate facilities for creating logs, actually parsing said logs without paying for an expensive 3rd-party solution can be frustrating.

Here’s a quick Powershell snippet that should give you the information you most likely want:

$FilterHashTable = @{
    LogName   = 'Security'
    ID        = 5140
    StartTime = (Get-Date).AddHours(-24)

Get-WinEvent -FilterHashtable $FilterHashTable |
    Select-Object -Property @{Name='Time';Expression={$_.TimeCreated}}, `
                            @{Name='Share';Expression={$_.Properties[7].Value}}, `
                            @{Name='SourceIP';Expression={$_.Properties[5].Value}}, `
                            @{Name='User';Expression={$_.Properties[1].Value}} |
Format-Table -AutoSize

If nothing shows up in the results:
* Do you have the permissions required to read the Security log of the server being audited?
* Does the Security log contain 5140 events? (You still need to actually enable auditing for them to show up)