Someone created a file (web.config) in a location that basically caused IIS to not work. Is there any way I can determine who created this file?
The creator/owner says "Domain Administrators".
This is a Windows 2008 R2 server.
Asked
Active
Viewed 1,834 times
3
-
fyi: this feature exists for [Windows XP and 2003](http://support.microsoft.com/kb/947721) but not R2 – makerofthings7 Oct 04 '11 at 01:47
1 Answers
3
There's not a direct way to find out who exactly created the file on NTFS by hindsight. However, you might have a chance checking the event logs to determine who was logged in as an admin by that time. If you're lucky there was only one administrator present.
If you want to monitor such activities for certain directories from now on, there're various tools available. It can be done with process monitor for example, and if it's not a local account that is creating those files you can perform a lookup with netstat on the PID to get the IP of the user.
Falcon
- 691
- 5
- 7