To find who opened or modified a file last, you have to enable auditing on that file. To enable auditing, you have to enable auditing at the system level and then enable auditing on the particular object (in this case a file) in which you are interested.

Using a graphical user interface

1. Do the following to enable auditing at the system level:

2.From Administrative Tools, open the Local Security Policy snap-in (secpol.msc).

3. In the left pane, expand Local Policies and click on Audit Policy.

4. In the right pane, double-click Audit object access.

5.Check the boxes beside Success or Failure (as needed).

6. Click OK.

Now you need to enable auditing on the target file(s) or folder(s):

1. Open Windows Explorer.

2. In the left pane, browse to the parent folder of the file or folder on which you want to enable auditing. Click on the parent folder. This displays the list of subfolders and files in the right pane.

3. In the right pane, right-click on the target file or folder and select Properties.

4. Select the Security tab.

5. Click the Advanced button.

6. Select the Auditing tab.

7. Click the Add button.

8. Enter the user or group you want to audit access for (use the Everyone principal to audit all access) and click OK.

9. In the Auditing Entry dialog box, select the types of access you want to audit. You have to select Success events separately from Failure events. Click OK when you are done.

10. Click Apply.

Microsoft doesn't provide a tool to configure the audit settings of files. However, you can do this with the setacl.exe tool. It is available for download from SourceForge at

Here is an example of setting an audit entry on the file d:\myimportantfile.txt for all failed access attempts by the Everyone principal:

> setacl -on "d:\myimportantfile.txt" -ot file -actn ace -ace


Note: Be careful when enabling auditing on a frequently accessed set of files or folders. The number of audit messages in the Security event log can grow quickly with just a few accesses of the file. Monitor the Security event log closely after initially enabling auditing just to make sure you don't flood it.