I want to figure out how to audit file access on Windows using network share access.
I have 2 computers that run Window 8 and that are not in joined in an active directory domain. Computer 1 has shared a folder with Everyone. Computer 2 copies files from Computer 1 from the shared folder.
Problem: I would have expected to see IO read events on computer 1 (using procmon) but that doesn't happen. I know I can get IO metadata by turning file access monitoring, however, that seem inefficient and difficult to aggregate with data that I receive from a minifilter file system driver (think of procmon file reads)
Questions:
- What protocols are used on Computer 1 and 2 to access files via network shares?
- Why doesn't procmon see IO events on Computer 1, when Computer 2 access its shared folder?
Best Answer
The Windows file sharing protocol is called SMB, once upon a time short for "Server Message Block". It may run over a "NetBIOS Session" layer (TCP port 139), but more commonly used over raw TCP (port 445).
(Version 1 was also often called "CIFS", although to my knowledge the standards-defined CIFS is not 100% identical to Windows SMBv1.)
On Windows, the SMB server runs as the
LanmanServerservice, inside one of the svchost.exe processes. (I'm not entirely sure, but I think part of it might be a kernel driver as well, which wouldn't show up in ProcMon due to not making any system calls at the level ProcMon is watching them.)