Network shares Access Event Logs
| Fields | Value |
|---|---|
| Event Name | Network Share Access Events |
| Location | Security |
| OS | Windows Server 2008-2022, Windows 7-11 |
| Category | Object Access • File Share |
| Type | Share Access and Modifications |
| Default settings | Not Configured |
| Event ID | 5140, 5142, 5143, 5144, 5145 |
Overview
Network share access events in security logs that track all file share activities across a network. These events, logged in the Security Event Log with Event IDs 5140-5145, capture essential information about share access, creation, modification, and deletion. Each log entry records details like user accounts, share paths, access types, source IPs, and timestamps. This logging system enables administrators to monitor unauthorized access, track changes, maintain audit trails, and ensure security compliance while facilitating effective troubleshooting of share-related issues.
Enable Network shares Event Log Auditing
To enable Network Share Event Log auditing in Active Directory environments, follow these steps:
- Open Group Policy Management Console (GPMC) and create/edit a GPO
- Navigate to Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies > Object Access
- Enable “Audit File Share” and configure for both Success and Failure events
Confirm Network shares Events
To verify Network Share Events by executing commands` from another machine, follow these steps:
-
Map a network drive using command prompt:
dir \\{hostname or IP}\c$
After mapping a network drive, check Event Viewer > Windows Logs > Security for Event ID 5140, which confirms successful share access. The log entry should display details like the accessing user, share path, and access type.
