Every so often, when I open Outlook, it tells me that my PST file was not closed properly and it’s being checked for errors. It seems from a spot of googling that this isn’t an Outlook problem as such, more that another app opened my PST and did not close it properly.
Task Manager or Anvir Task Manager (excellent app) shows that, whoever the culprit is, it’s not running the next time I start Outlook. My suspicions are firmly on Skype, especially as there are a ton of postings on it keeping the PST open, but I’ve checked the obvious settings and they don’t seem to be the culprit.
Right, I thought, let’s turn on file auditing and I can see which process accesses the PST file… Wow! What a faff this is, in Vista. Prior to Vista, auditing was really easy but now things have got way more “powerful” (according to Microsoft) or “difficult” (according to me). What is particularly galling is that you can even go and enable access audits on a specific file, and Vista won’t give you a hint that File System auditing isn’t even enabled! So, after a bit of digging around, this is how you audit access to a file;
Turn on File System auditing
You need to use a horrid app called AuditPol.Exe – the semantics of this are a bit too esoteric for me, but here’s what you need to enable file system auditing;1: D:\Windows\system32> auditpol /set /subcategory:"file system" /success:enable /failure:enable
Note that the whole “auditpol” command is on one line.
Enable Auditing for a file
Now, go and right click the file you want to be audited, right click and go to properties. Go to the “Security” tab, and then click on “Advanced”. Now that you are in the Advanced dialogue go to the second tab, which should be called “Auditing”. You may have a button marked “Continue” if you are still using UAC – if so, click this and accept the next dialogue;
Finally, you get the auditing dialogue. Clock on “Add” and enable the auditing that you’re looking for. If you just want to know what / who opens the file, you just need “List folder / read data” auditing.
Very important; the “Name” entry defaults to your user ID, which means that it will only audit access by you. If you want to record access by anyone (and remember services may be running under the SYSTEM or other account) then you need to click the “Change” button and set it to audit access by “Everyone”.
Checking the event log for audit records
Last stage; you can check the Windows Event Log (via the “Administrative Tools” group or by running EventVwr.exe) to see audit results. Check the Windows Logs / Security log for event ID 4663, or the Task Category of “File System”;
Remember to disable when you fixed your problem
Best advice suggests that, once you’ve got to the bottom of your file access problems, you should disable auditing. To do this, follow these steps in reverse order; remove the audit options from the file, then disable auditing with AuditPol.ex;
1: D:\Windows\system32> auditpol /set /subcategory:"file system" /success:disable /failure:disable
No comments:
Post a Comment