I am trying to determine which user on a box removed permissions on a folder causing a service to crash. So far I've tried looking through the event logs to determine who remove the permissions on a folder, event ID's 4670, 562, 560, 567 with no luck. I am guessing the audit logging for this was not set. Are there any OS level Artifacts that might help, I am drawing a blank on what other artifacts may help??
Thanks in advance!
I am trying to determine which user on a box removed permissions on a folder causing a service to crash. So far I've tried looking through the event logs to determine who remove the permissions on a folder, event ID's 4670, 562, 560, 567 with no luck. I am guessing the audit logging for this was not set. Are there any OS level Artifacts that might help, I am drawing a blank on what other artifacts may help??
A couple of things to consider…one, how might a user performed this action? Would they have used cacls.exe? Or would they have done so via GUI? Each will have it's own set of artifacts.
For example, if done via cacls.exe, I'd perhaps (we don't know, as you haven't specified the version of Windows) look for a Prefetch file.
If performed via the GUI, I'd check ComDlg32 and shellbag entries for the user.
If you know *when* this occurred, a correctly constructed timeline might be of considerable value.
This kind of operation will for sure be present in the $LogFile. Question is if filesystem is NTFS and if the file has been recycled in the meantime (likely for system volume on a server). $UsnJrnl if present could also tell you a few things. But if filesystem is non-NTFS disregard this post.