如何使用FileSystemWatcher识别谁从计算机中删除文件 [英] how to identify that who delete the file from computer, by using FileSystemWatcher

问题描述

FileSystemWatcher fileWatcher = new FileSystemWatcher(); 
fileWatcher.Deleted += new FileSystemEventHandler(fileWatcher_FileDeleted);
private void fileWatcher_FileDeleted(object sender, FileSystemEventArgs e)
{
      writeLog(e);
}

上面的代码用于记录已删除的文件数量从计算机，但它将从计算机中删除所有文件。但是我只想要那些当前被用户删除但不被其他应用程序或系统删除的文件。

The above code which I use to log that how many files was deleted from computer,but it will gives all files deleted from computer. But I want only those file which are deleted currently by users only not by other application or system.

推荐答案

问题是filesytems（如NTFS）不跟踪那些信息。所以FileSystemWatcher本身无法为您提供信息。但是，有一个解决方法。



一般方法可能是：



- FileDeleted事件你的FileSystemWatcher被触发

- 启动一个新的任务，并在短暂的延迟后，访问安全事件日志

- 找到正确的条目，并从那里读取用户名



这需要在文件夹上启用审核。我没有这方面的工作示例，但互联网上有大量关于如何访问事件日志和查找条目（可能使用Xpath查询）的资源。

The problem is that filesytems (like NTFS) do not keep track of that information. So FileSystemWatcher alone can not provide you with the information. However, there is a workaround.

The general approach could be:

- The FileDeleted event of your FileSystemWatcher is triggered
- Start a new Task, and after a short delay, access the Security Event Log
- Find the correct entry, and read the username from there

This requires auditing to be enabled on the folder. I don't have a working example of this, but there are plenty of resources on the internet about how to access the event log and find the entry (probably using an Xpath query).

这篇关于如何使用FileSystemWatcher识别谁从计算机中删除文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！