|
Apparently File Sight can't make the distinction between listing files in a folder without opening them (registers it as a "read") or actually opening files (which is also registered as a "read"). This is how Windows stores the events in the event log when auditing is enabled. I need to be a 100% certain that a file has been opened by the user. How do I accomplish this with File Sight? |
|
Hi Smyttie, You could make a few some adjustments to your monitor. The first would be to ignore the process that is listing your files. Listing files is usually done by using Windows File Explore. You can ignore that process marking the explorer process in the Ignore tab called Processes. The second option is to raise the "Minimum # of bytes read or written in order to get a reported" from 25 to another number that you fell will better fit your needs. File Sight - File Access Monitor Thanks Please make sure to mark your questions accepted when you have your answer by clicking the gray check mark to the left of the answer. |
|
Hi Quinn, thanks for your reply. I have a remark on both of your suggestions :
I run this on a file server with Windows 2012 Standard and folders/files are managed with DFS. I find it very weird that Microsoft or any other company (I have tested several tools) are not able to tell me with certainty, in a simple way, if a file was opened or not. Best regards, Smyttie |
|
The problem is Windows Explorer will open and read a little bit of the file when it is 'listed' to help it decide which icon to show. That's every bit as much of a read file as if Word had read the file in. The difference though is Explorer will just read a small amount, maybe 100 bytes. So for most files that are typically at least a few KB, ignoring those small file reads effectively filters out Explorer's 'listing' of files. |
