Ask : Add username in file auditing report

hi guys just started to learn using powershell, and i got a very good script from some source to make a report to watch for and report file changes using powershell,

here the script,

CLI params for starting and stoppping the watcher

param (
[switch]$start = $false,
[switch]$stop = $false

Function Register-Watcher {
# Folder to watch
param ($watchdir)

$watchdir = "C:\Users\$env:USERNAME\Documents" # Root path to monitor
$logfile = "c:\Users\$env:USERNAME\logfile.txt"

# Filter all files and subdirectories
$filter = "*.*"
$watcher = New-Object IO.FileSystemWatcher $watchdir, $filter -Property @{
    IncludeSubdirectories = $true
    EnableRaisingEvents = $true

# Create the log file if it doesn't exist
if (!(Test-Path "$logfile")) {
    New-Item -path "$logfile" -type file | Out-Null

# Define the FS watching behvior
$action = {
    $path = $Event.SourceEventArgs.FullPath
    $name = $Event.SourceEventArgs.Name
    $changeType = $Event.SourceEventArgs.ChangeType
    $timeStamp = $Event.TimeGenerated
    #$console_message = "The file '$name' was '$changeType' at '$timeStamp'"
    #Write-Host $console_message
    $log_message = "$name, $changeType, $timeStamp"
    Out-File "C:\Users\$env:USERNAME\logfile.txt" -Append -InputObject $log_message

# Register the FS watcher
Register-ObjectEvent $watcher Created -SourceIdentifier Created -Action $action
Register-ObjectEvent $watcher Changed -SourceIdentifier Changed -Action $action
Register-ObjectEvent $watcher Deleted -SourceIdentifier Deleted -Action $action
Register-ObjectEvent $watcher Renamed -SourceIdentifier Renamed -Action $action


Unregister the FS watcher

Function Unregister-Watcher() {
Unregister-Event Created
Unregister-Event Changed
Unregister-Event Deleted
Unregister-Event Renamed

Function Main() {

# Start the watcher
if ($start) {
    Write-Host "Starting FS watcher" -fore green
    Register-Watcher $watchdir
# Stop the watcher
elseif ($stop) {
    Write-Host "Stopping FS watcher" -fore red
# Otherwise error
else {
    Write-Host "Invalid arguments"
    Write-Host $args.Length


Script entrypoint


the thing is, the report is didn’t show the user who do the file change,
can all you help what command need to use so the report also show the username who did the change to the file please.

thank in advance

You’ll need to enable NTFS file system auditing to get user details. Once enabled you can get the information from the Windows Security event log and forward it to a central log collector to analyse. Much more reliable than running a file system watcher via PowerShell or C# because NTFS file system auditing is embedded into the NTFS file system driver of Windows.

hi daniel,
i’ve allready set the file auditing that your said, so event log show me if there a change in some directory,
but i want to make a report and save it into .txt file,

here the example when i run script above
report in txt

but in that file is there is no username who did the audit.
can you give an advice how to do that please?

You’ll need to extract the SubjectUserName and SubjectDomainName in the XML data of the event log entry.