0

It seems like someone has been tampering with a hosts file on a client server (they have multiple sites hosted on their server which are managed by different users)

Today one of our services stopped working as the host file had been changed, we have now fixed the host file, but what I would like to know is, is there any way we can see when the file was last changed? As this would allow us to pin point which users were logged in at that time and hopefully work out who made the change!

Thanks all :)

Improve this question
1
  • NTFS file properties don't show the last modified date?
    – Shinrai
    Commented Sep 30, 2010 at 18:13

2 Answers 2

Reset to default
1

It's not in the event log. But as mentioned in the comment, you can see the last modified time in Windows Explorer or the file properties.

Improve this answer
3
  • 1
    ... but since you already fixed the file the last modified date is now incorrect for your investigation.
    – Chris Nava
    Commented Sep 30, 2010 at 18:48
  • They might still be able to see the change in a backup tape.
    – Joel Coehoorn
    Commented Sep 30, 2010 at 19:57
  • But Chris is right. I didn't even think about it :/
    – Shinrai
    Commented Sep 30, 2010 at 21:06
1

You can get modifications in the Security log if you enable auditing in the security property sheet of hosts (hidden under the Advanced button).

It won't work retroactively, however. So it's not an answer to your question.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .