Hands on: Check a computer's event history

You can also get at the date accessed from a command prompt. In XP type dir/ta,which will show the last accessed dates – /tc and /tw show the creation and last modified dates. On older versions of Dos, the syntax is slightly different.

The /oa and /od switches will list files by accessed and modified dates respectively, but there’s a catch. Irrespective of the order chosen, the date you see in both cases is the modified date. To see both dates, use the /v (verbose) switch as well as the sort order switch.

Having said all that, viewing the last accessed date is largely a fruitless exercise. In Windows ME, for example, opening a folder doesn’t change the last accessed date. In Windows XP it does – but not always immediately.

To make matters worse, so many other things, such as Windows Desktop Search indexing and other services, also change the last accessed date that it’s impossible to tell whether a folder was opened by a user or accessed routinely by the operating system.

Bring in the auditors
There is, however, another way to get Brookmyre off the hook in XP, but it’s not for the fainthearted. You can set up Auditing to record access to a variety of objects, such as files, folders, printers and Registry keys.

First you need to be logged on as administrator status, and if you value your sanity, create a system restore point (see final section on next page). Next you need to have simple file-sharing disabled. XP Home users can give up now, as this isn’t an option, but XP Pro users can do this from Explorer’s Tools, Folder Options, View.

Now you need to set up auditing. Start, Run gpedit.msc to open the Group Policy editor. In the left-hand pane navigate down to Computer Configuration\Windows Settings\ Security Settings\Local Policies\Audit Policy.

You’ll then see, in the right-hand pane, a list of actions that can be audited – by default these will all be set to No Auditing. Double-click on Audit Object Access and check the Success box in the properties box. OK out of the latter.

The next stage is to set up the objects you want audited. So, keeping to the plot, navigate to a folder whose access you want logged. Right-click on it, choose Properties, turn to the Security tab then click the Advanced button. In the Advanced Security Settings dialogue, turn to the Auditing tab. Click the Add… button.

To keep things as simple as possible, type “everyone” (without the quotes) in the ‘Enter the object name to select’ box. Click the Check Names button to ensure you have specified a valid object name, then OK. This will open the Auditing Entry dialogue.

Choose what you want audited – ‘List folder / Read data’ in this case, and select an ‘Apply onto’ option: if you want to keep the audit log uncluttered just choose ‘This folder only’ or ‘This folder and subfolders’. OK out of all open dialogues.

Now run the Event Viewer, as described earlier, and open the Security branch. You’ll see several entries each time the folder you have specified is opened, together with the time, user and other information. If you double-click on an entry you’ll get further information, in particular the ‘Image File Name’ which tells you which program accessed the folder.

If you, or another user, has opened the folder, this will show as Explorer.exe. If some other process has accessed the folder you’ll see a different executable, for example, WindowsSearchFilter.exe shows that the Desktop Search indexer has passed that way.