Skip to content

Instantly share code, notes, and snippets.

@TrimIdeas
TrimIdeas / Audit changed or deleted files in Windows Server 2008 R2 or newer.ps1
Last active Jun 14, 2019
Audit changed and deleted files on Server 2008 R2, 2012, and 2012 R2
View Audit changed or deleted files in Windows Server 2008 R2 or newer.ps1
# Version 1.2 :: This script reads offline event logs, oldest to newest, bottom to top.
# See http://www.trimideas.com/2015/04/auditing-changed-deleted-files.html for instructions.
$LogPath = "C:\Event_Logs\"
$ReportPath = "C:\Audit\File-Audit-Reports\"
$Formatted_Date = (Get-Date -UFormat %A-%B-%d-at-%I-%M-%S%p)
$ZipName = "Security-Events-for-" + (Get-Date -UFormat %A-%B-%d) + ".zip"
$Report_in_CSV = $ReportPath + "Audit of changed files on " + $Formatted_Date + ".csv"
$Truncated_Log_Path = $LogPath + "Archive-Security_on_" + $Formatted_Date + ".evtx"
$Today_Midnight = (Get-Date -Hour 0 -Minute 0 -Second 0)