Home » System Center Operations Manager 2007 » Auditing files in Windows with ACS


Welcome to contoso.se! My name is Anders Bengtsson and this is my blog about Azure infrastructure and system management. I am a senior engineer in the FastTrack for Azure team, part of Azure Engineering, at Microsoft.  Contoso.se has two main purposes, first as a platform to share information with the community and the second as a notebook for myself.

Everything you read here is my own personal opinion and any code is provided "AS-IS" with no warranties.

Anders Bengtsson

MVP awarded 2007,2008,2009,2010

My Books
Service Manager Unleashed
Service Manager Unleashed
Orchestrator Unleashed
Orchestrator 2012 Unleashed
Inside the Microsoft Operations Management Suite

Auditing files in Windows with ACS

I have been doing some tests for file auditing with Audit Collection Services (ACS). Unfortunately Windows file auditing doesn´t really generate informative logs. It is most often the same event ID and the event description is very technical. I did some file operations and reviewed all events in the security event log. I think I have found a way to almost sort all the different file operations in different ACS reports. The first thing you need to do is enable auditing in both a policy and on the folder. I have used the built-in Microsoft Report Builder to create my new ACS reports. You can read more about creating ACS reports here. I have built four reports. You could merge them into one and you can add/remove any parameter you want. It could be nice with relative dates and an input field for user name and object name. One of the first thing I did was match ACS report parameters with parameters in security events, below is the result from that exercise

  • String01 – Object Type
  • String02 – Object Name
  • String03 – Process ID
  • String04 – Process Name
  • String05 – Accesses
  • String06 – Object Server
  • String07 – Handle ID
  • String08 – Transaction ID
  • String09 – Access Mask
  • String10 – Privileges Used for Access Check
  • String11 – Restricted SID Count

For the four reports I use the following filter

  • Contoso – File – Created Files
    • Event ID equals 4656
      • String 09 equals 0x6019f
      • or
      • String 09 equals 0x16019f
  • Contoso – File – Delete
    • Event ID equals 4663
    • String 05 contains DELETE
  • Contoso – File – Modified Files
    • Event ID 4656
      • String 09 equals 0x2019f
      • or
      • String 09 equals 0x12019f
  • Contoso – File – Open/Read Files
    • Event ID equals 4656
      • String 09 equals 0x120089
      • or
      • String 09 equals 0x20089

Summary: You read the step by step guide about ACS reports in my ACS report post and you apply the filter is this post.


  1. It seems that Server 2012 now sees String09 as String10, so the file deletion/creation/modification query will need to be modified as needed. Worked well for me after changing this, using this great post as a guide.

  2. Hi there,

    i have tried to execute the below query and its not working. Looks like it not accepting the string09 hex decimal value. can you provide the proper query to execute against the event id with string09


    AdtServer.dvall.EventId=4656 and
    Adtserver.dvall.String09= 0x120089

  3. Hi, not really a ACS issue 🙂 ACS collect, transport and store all the security events, as it is told to do. But Windows dont always generate that great security events, of they have to much information. Special around audit file servers it is a challenge to get it 110% correct.

  4. Valuable job, but ACS is really weak regarding File Service Audit
    Thank you 🙂

  5. Hi, there is no supported way out of the box to get more that into the ACS forwarder than security logs. But there are partners that have built solutions to get more that into the ACS forwarder and then into the ACS database.

  6. Wondering if there has been an answer to Luciano’s question? Also is there any articles/references relating to the ACS Database itself, to also include the possibility of collecting information to more than one ACD Database?

  7. i´m afraid auditing file deletion is almost imposible. By windows, to rename a file is the same thing as deleting. Other problem is, some applications delete and rename files when working, so there will be a lot of false cases…this report is really hard to obtain.
    Another point…considering the previous comments, there is another extra problem, ACS grow to a very big database…when the ACS DB is new and the data is few…the reports can be obtained…when the data is large the reports never works.
    If there is something you can add please let me know…i´m really in trouble because this theme.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.