Automating checking last file write recursively on Windows using PowerShell

Asphyxia

Owner
Administrator
Apr 25, 2015
1,844
2
2,197
327
Code:
$sec1 = Get-ChildItem -Path C:\sec -Recurse -ErrorAction SilentlyContinue -Force | Sort-Object LastWriteTime -Descending | Select-Object LastWriteTime -First 1 | ft -HideTableHeaders | Out-String
Just replace "C:\sec" with your directory.

We need to remove the blank linkes:
Code:
$sec1 = $sec1 -replace "`t|`n|`r",""

Let's make an auditing folder on Windows,
mkdir C:\auditing


Now that we have this, we could log this to a file and make comparisons to then trigger events on a mismatch which indicates a file change recursively.
Code:
$sec1 = Get-ChildItem -Path C:\sec -Recurse -ErrorAction SilentlyContinue -Force | Sort-Object LastWriteTime -Descending | Select-Object LastWriteTime -First 1 | ft -HideTableHeaders | Out-String
$sec1 = $sec1 -replace "`t|`n|`r",""
#Read our audit of last known timestamp
$secKnown = Get-Content C:\auditing\sec1.txt
#Write new last known timestamp
$sec1 | Out-File -FilePath C:\auditing\sec1.txt

#Check if known timestamp matches new one
if($sec1 -match $secKnown){echo "All normal"}else{echo "A change has been made to your directory recursively, investigate."}

This works and could be scheduled to run for example every 10 minutes or however often, you would ideally generate an email when something is not right.

This is botting Windows to make cool shit happen - have fun.

If anyone wants to improve upon this please do, for example you could keep the exact file location intact to report in the email that would be sent to the host owner.
 
Top