PS Files Auditor Not Getting Windows Username Who made Change

Hello,

We are using IO.FileSystemWatcher watcher for test purposes on our QA machine running W2012R2.

• The PS script runs as schedule task every time a new user do a login in the machine.
• The PS script will capture on a log file and send emails on every change (create, rename, delete, change).

The Powershell script SystemFileMonitor works well, with exception that is not capturing the Username who made the change, instead is always capturing the Username that is running the Schedule Task.

Any ideas? I even tried capture a service owner, but still same issue.

Here is the Code:

$location = Get-location $machine = [Environment]::MachineName $userLogged = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name $userLogged1 = (Get-WmiObject Win32_Process -Filter "Name='explorer.exe'").getOwner() | Select User

$folder = “C:\apache-tomcat-8.0.33\webapps”
$filter = “*.ini”

$fsw = New-Object IO.FileSystemWatcher $folder, $filter -Property @{
IncludeSubdirectories = $false
NotifyFilter = [IO.NotifyFilters]‘FileName, LastWrite’
}

$onCreated = Register-ObjectEvent $fsw Created -SourceIdentifier FileCreated -Action{
$path = $Event.SourceEventArgs.FullPath
$name = $Event.SourceEventArgs.Name
$changeType = $Event.SourceEventArgs.ChangeType
$timeStamp = $Event.TimeGenerated
Write-Host “The file ‘$name’ was $changeType at $timeStamp” and $userLogged and Process Owner ‘$userLogged1’ -fore green
Out-File -FilePath $location\logs\INI-outlog-Created.txt -Append -InputObject “The file ‘$name’ was ‘$changeType’ at ‘$timeStamp’ on machine ‘$machine’ on Path:‘$path’ , by user ‘$userLogged’ Process Owner ‘$userLogged1’”

#SEND EMAIL#
$From = “test@test.com”
$To = “test1@test.com”
$Cc = “test2@test.com”
$Attachment = “$location\logs\INI-outlog-Created.txt”
$Subject = “File Created - CHANGE ALERT SERVERTRUNK”
$Body = “File Created @ SERVERTRUNK - The file ‘$name’ was ‘$changeType’ at ‘$timeStamp’ on machine ‘$machine’ on Path:‘$path’ , by user ‘$userLogged’ Process Owner ‘$userLogged1’”
$SMTPServer = “MailServer”

Send-MailMessage -From $From -to $To -Cc $Cc -Subject $Subject -Body $Body -SmtpServer $SMTPServer -Attachments $Attachment -Priority High -dno onSuccess, onFailure
}

Always we get the Log DUMP like below (Username that is running schedule task on the server):

The file 'renamed - Copy.ini' was 'Deleted' at '10/03/2016 10:11:36' on machine 'TESTQA' on Path:'C:\Monitor1\Source1\renamed - Copy.ini' , by user '@{User=SVC_TEST}'

THANK YOU for any ideas.
Paulo.

This:

$userLogged = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name

Is always going to return the context of the user who ran the script - meaning, however the Scheduled Task is configured. There’s no way to change that - Windows can have processes running from dozens of users, and they’re all essentially walled off from each other. You could perhaps query something like Win32_UserSession (I think, maybe Win32_Session?) and look for Interactive session types. Those should represent physically logged-on users of the machine.

Thank you Don. I’ll check on this.