Forum Discussion
Configuring an audit for file share access
My goal is to have access to certain file shares by certain groups or users be logged. I have created a group policy that enables "Audit File System" in Advanced Audit Configuration. I then configure a SACL for the desired file share targeting my username as the principal (for testing purposes).
It works. I can see in the Security log whenever I access the file share. The issue I am having is that I am also recording events by the System user and I'm not sure why that is happening or how to prevent it. The events are for other files not related to the SACL I configured.
My understanding is that only users/groups in the relevant SACL will be recorded in the logs.
1 Reply
You're on the right track, and you're absolutely correct in expecting that only access attempts by users explicitly specified in the SACL (System Access Control List) should be logged.
However, seeing "System" user events in your Security logs is actually quite common — and here's why it's happening and what you can do about it.
Why “System” Access Events Appear
Even if your SACL only targets your username, you're seeing SYSTEM (and sometimes LOCAL SERVICE or NETWORK SERVICE) access events because:
The SYSTEM account often accesses files on behalf of users or services (e.g., indexing, antivirus, backup).
Windows itself performs internal operations (like file metadata reads or logging updates) when a user accesses a file.
Certain applications run as SYSTEM, and their accesses are captured because of how auditing works below the user level in some cases.
This can occur especially when:
The file share is being indexed.
Antivirus scans are running.
Backup software is touching the files.
Windows Explorer or SMB is pre-fetching information.
What You Can Do to Refine the Audit Scope
- Double-check your SACL configuration
Ensure that the SACL is scoped only to:
The specific principal (your test user).
The specific types of access (e.g., Read, Write).
That auditing is set only for Success/Failure as needed.
Right-click the folder → Properties → Security → Advanced → Auditing tab
Remove all entries except the one targeting your user (for test purposes).
2.Use File Auditing Filters in Event Viewer
Since you can’t prevent SYSTEM from accessing files, you can filter out unwanted events for analysis:
Open Event Viewer
Go to Security Log
Use Filter Current Log...
Add a filter like:
- Keywords: Audit Success
- User: yourusername
This lets you ignore SYSTEM and other service-level accounts.
3.Disable Inherited Auditing
If auditing entries are inherited from parent folders (especially the root of a volume), you may be getting noise from that.
Uncheck “Include inheritable auditing entries” on the SACL dialog and explicitly define only the audit rules you want.
4.Exclude Specific Accounts in Audit Policy (Advanced)
Unfortunately, there's no native way to exclude specific users like SYSTEM in file-level SACLs — but you can design your logging and alerting mechanisms (e.g., via SIEM, PowerShell, or custom scripts) to ignore SYSTEM events when processing logs.
