Does the event log show when a Windows hosts file has been changed?

1

It seems like someone has been tampering with a hosts file on a client server (they have multiple sites hosted on their server which are managed by different users)

Today one of our services stopped working as the host file had been changed, we have now fixed the host file, but what I would like to know is, is there any way we can see when the file was last changed? As this would allow us to pin point which users were logged in at that time and hopefully work out who made the change!

Thanks all :)

Chris Houston

Posted 2010-09-30T18:10:18.990

Reputation: 11

NTFS file properties don't show the last modified date? – Shinrai – 2010-09-30T18:13:43.913

Answers

2

You can get modifications in the Security log if you enable auditing in the security property sheet of hosts (hidden under the Advanced button).

It won't work retroactively, however. So it's not an answer to your question.

user1686

Posted 2010-09-30T18:10:18.990

Reputation: 283 655

1

It's not in the event log. But as mentioned in the comment, you can see the last modified time in Windows Explorer or the file properties.

Joel Coehoorn

Posted 2010-09-30T18:10:18.990

Reputation: 26 787

1... but since you already fixed the file the last modified date is now incorrect for your investigation. – Chris Nava – 2010-09-30T18:48:40.240

They might still be able to see the change in a backup tape. – Joel Coehoorn – 2010-09-30T19:57:05.237

But Chris is right. I didn't even think about it :/ – Shinrai – 2010-09-30T21:06:48.370

Asked: 2010-09-30T18:10:18.990

Viewed: 2 002 times

Active: 2010-09-30T21:11:25.400