5

I'm trying to make a simple log of files transferred via SMB.

This works with Windows 8 or higher:

var scope = new ManagementScope(@"\\.\root\Microsoft\Windows\SMB");

var query = new WqlEventQuery(

@"SELECT * 
  FROM 
      __InstanceOperationEvent WITHIN 1 
  WHERE 
      TargetInstance ISA 'MSFT_SmbOpenFile'"

);

ManagementEventWatcher watcher = new ManagementEventWatcher(scope, query);
watcher.EventArrived += new EventArrivedEventHandler(HandleEvent);

watcher.Start();

....

But it does not work for windows 7 or lower. (Run-time requirements)

Is there a similar solution that is compatible at least with windows 7?

1º Edit

It looks possible because this Windows 7 module does this task:

Computer Management (I'm seeing this information on windows 7)

mmc.exe

2º Edit

To clarify the purpose. I am building a DLP application (Data Loss Prevention). I need to monitor and log files accessed via windows share (user, filename) and eventually block this access at the moment the user request the file.

Vinicius Gonçalves
  • 2,514
  • 1
  • 29
  • 54
  • 1
    You can look at the NET family of commands - `net files` - gives the [list of open files](https://technet.microsoft.com/en-us/library/bb490702.aspx). `net session` gives [the list of sessions](https://technet.microsoft.com/en-us/library/bb490711.aspx). – Subbu Aug 01 '17 at 13:12
  • Great Subbu, I'm taking a look at the documentation now, looking for something event based, so I can be notified instead of running the command consecutively. – Vinicius Gonçalves Aug 01 '17 at 13:26

1 Answers1

0

Admittedly, this is a partial answer. It may be useful though, and it does not fit into a comment.

It seems you could try with Win32_ConnectionShare and Win32_ServerConnection. It is used here, for instance.

Still, I am not sure you can use it to capture the event. Combining all your requirements is challenging (that's why you set the bounty!)

Related info:

https://www.codeproject.com/Articles/17803/A-PC-Audit-Application-in-C

Detect File Read in C#

Is it possible to programatically log access to a windows share (SMB share) using the .Net framework?

https://msdn.microsoft.com/en-us/library/system.io.filesystemwatcher(v=vs.110).aspx

SACL on Services using C# || get a handle to a service that has the ACCESS_SYSTEM_SECURITY rights using C#

https://www.netfort.com/blog/auditing-file-access-on-file-servers/

https://blogs.technet.microsoft.com/mspfe/2013/08/26/auditing-file-access-on-file-servers/

https://superuser.com/questions/783950/how-to-display-currently-connected-users-workstations-to-a-windows-smb-share

https://stackoverflow.com/a/154758/2707864

https://msdn.microsoft.com/en-us/library/windows/desktop/aa365433(v=vs.85).aspx

https://msdn.microsoft.com/en-us/library/bb726966.aspx

sancho.s ReinstateMonicaCellio
  • 14,708
  • 20
  • 93
  • 185
  • Hi @sancho.s, tks for reply. I've seen this feature before I post. This is the first related question in the list. Although it is something close to what I need, it is not event-driven and will not allow me to cancel the read request. Could you please post an example? – Vinicius Gonçalves Aug 07 '17 at 17:58
  • @ViniciusGonçalves - You are right. Please see updated answer. – sancho.s ReinstateMonicaCellio Aug 08 '17 at 13:06