If a file read by Omniscope is changed while the workflow execution is ongoing, Omniscope will display an error message:

This is usually due to some other process accessing the file, or some misconfiguration in Omniscope. This article will show how it is possible to use Windows Auditing functionality to find the process modifying the file.

Enable Auditing for the file

To enable auditing for the file:

- Open a Windows explorer window and navigate to the source file you want to monitor.

- Right click, and select Properties

- Navigate to Security, then Advanced, and Auditing. Click Continue if necessary.

- Click on Add, then Select a principal. Enter the name of a user or group you want to audit for the selected file or folder, and click Check Names to validate your entry. For example, enter Everyone to audit for every user or group. Click OK to apply the changes.

- In the Basic Permission check Modify and Write permissions. Click OK to apply the changes.

Analysing the Audit events

You can analyse the audit the Events Viewer application. You can open the application by clicking on the Windows start menu and searching for Event Viewer.

To see Audit events in the Event Viewer application, navigate to Windows Logs and Security. The example below shows that file Stocks.csv has been written by the process notepad++.exe  on 21/06/2022 at 09:23:53.

You can use the Filter current Log... button on panel on the right to filter the events. Also, it is possible to export the events as export the events as a CSV file by clicking on Save All Events As, and selecting CSV as the file type. Note that saving the file might take a long time if there are lots events captured by the filter.

Once the file has been exported, you an easily filter and analyse the file using Omniscope: