C# Log SMB file access

5
votes

I'm trying to make a simple log of files transferred via SMB.

This works with Windows 8 or higher:

var scope = new ManagementScope(@"\\.\root\Microsoft\Windows\SMB");

var query = new WqlEventQuery(

@"SELECT * 
  FROM 
      __InstanceOperationEvent WITHIN 1 
  WHERE 
      TargetInstance ISA 'MSFT_SmbOpenFile'"

);

ManagementEventWatcher watcher = new ManagementEventWatcher(scope, query);
watcher.EventArrived += new EventArrivedEventHandler(HandleEvent);

watcher.Start();

....

But it does not work for windows 7 or lower. (Run-time requirements)

Is there a similar solution that is compatible at least with windows 7?

1º Edit

It looks possible because this Windows 7 module does this task:

Computer Management (I'm seeing this information on windows 7)

mmc.exe

2º Edit

To clarify the purpose. I am building a DLP application (Data Loss Prevention). I need to monitor and log files accessed via windows share (user, filename) and eventually block this access at the moment the user request the file.

1
c#winapiwmiinstrumentationwql
You can look at the NET family of commands - net files - gives the list of open files. net session gives the list of sessions.Subbu
Great Subbu, I'm taking a look at the documentation now, looking for something event based, so I can be notified instead of running the command consecutively.Vinicius Gonçalves

1 Answers