The MonitorEventLogs PowerShell module allows users to monitor Windows Event Logs for specified event IDs across multiple computers. It utilizes parallel processing with PowerShell jobs to efficiently collect and report event log data.
- Query event logs from local and remote computers.
- Filter logs by Event IDs, Log Name, and Start Time.
- Parallel processing for faster data collection.
- Error handling for unreachable servers.
-
-EventIds(Mandatory)- Type:
int[] - Description: List of Event IDs to search for in the event logs.
- Type:
-
-ComputerNames(Optional)- Type:
string[] - Default:
$env:COMPUTERNAME - Description: Target computer(s) to query. Defaults to the local machine.
- Type:
-
-LogName(Optional)- Type:
string - Default:
Application - Description: The name of the event log to search (e.g., Application, System).
- Type:
-
-StartTime(Optional)- Type:
datetime - Default: Current time minus 5 minutes
- Description: The starting point in time for querying logs.
- Type:
# Query Event ID 1000 in the Application log on the local machine from the past 30 minutes
Get-TargetEventLogs -EventIds 1000 -StartTime (Get-Date).AddMinutes(-30)
# Query Event IDs 4624 and 4625 from the Security log on multiple servers
Get-TargetEventLogs -EventIds 4624, 4625 -LogName Security -ComputerNames Server01, Server02- The function tests connectivity to each specified computer before querying.
- If a server is unreachable, it logs the error without interrupting the entire process.
- Windows PowerShell 5.1 or later
- Appropriate permissions to access event logs on remote computers
- Copy
MonitorEventLogs.psm1to a module directory (e.g.,C:\Program Files\WindowsPowerShell\Modules\MonitorEventLogs). - Import the module in your PowerShell session:
Import-Module MonitorEventLogs
This guide explains how to enable file access monitoring in Windows to track when a specific file is accessed, moved, or deleted.
- Administrator privileges
- Windows Pro, Enterprise, or Server editions (Audit policies are not available in Home editions)
-
Press
Win + R, typesecpol.msc, and press Enter to open Local Security Policy.
(If unavailable, usegpedit.mscfor Group Policy Editor or configure via command line.) -
Navigate to:
Security Settings → Local Policies → Audit Policy -
Double-click Audit object access.
-
Check Success and Failure to log both successful and failed access attempts.
-
Click OK.
-
Right-click the file or folder you want to monitor and select Properties.
-
Go to the Security tab and click Advanced.
-
In the Advanced Security Settings window, go to the Auditing tab.
-
Click Add, then click Select a principal.
-
Enter
Everyone(or a specific user/group to monitor) and click OK. -
In the Basic permissions, check:
- Read (to monitor opening the file)
- Write (to monitor changes)
- Delete (to track deletion)
- Full control (for all access types)
-
Click OK to apply.
Moving or deleting a file triggers Write or Delete permissions in auditing. To specifically monitor these:
-
Repeat the steps above for the parent folder of the file.
-
Enable auditing on the folder with the Delete subfolders and files and Delete permissions.
-
Press
Win + R, typeeventvwr.msc, and press Enter. -
Navigate to:
Windows Logs → Security -
Look for Event ID 4663 (File access attempt) and Event ID 4656 (Handle request for the file).
-
Details will include the user, timestamp, and type of access.
- Enabling auditing can generate many logs. Be selective with files/folders to monitor.
- For more advanced monitoring, consider using Sysinternals Process Monitor or third-party tools for real-time alerts.
By following this guide, you'll effectively monitor file access, moves, and deletions on Windows.
Guy McDowell
For any issues or contributions, please contact the author.