KBI 311730 Issue Addressed: File Audit Report Does Not Show Entry For Opening File In Notepad Or Other File Editor


Argent Advanced Technology 5.1A-1810-B and below


Thursday, 31 January 2019


Opening a file in the directory for viewing only does not generate any audit report entries

It does generate a report entry if user opens and edits the file, but not if user opens the file and reads it without making edits

The issue has been addressed in Argent Advanced Technology 5.1A-1901-A

Note: Read events are generated only when file is read accessed by programs other than ‘explorer.exe’

Technical Background

File audit reports rely on the file audit events in Windows security log

Windows OS generates audit events based on the Windows Win32 API calls

A lot of read events could be generated even when user simply opens the container folder in File Explorer (explorer.exe)

Argent AT does not record these read events to avoid generating noisy events that user might not be interested at

Argent Advanced Technology 5.1A-1901-A has been enhanced to detect the file read events when user opens file in file editor such as notepad.exe


Upgrade to Argent Advanced Technology 5.1A-1901-A or above