The Critical System Protection (SCSP) IPS driver does not show the remote user that attempted to or successfully changed a file over the network.

This occurs because the IPS driver blocks the remote file access attempt by blocking Lan Manager process from making the change to the file, which does not have the user information attached.   This behavior is expected due to the architecture of Windows.

If it is desired to monitor who made changes to the file, along with what was content within the file was changed, a IDS filewatch policy must be used.

Note that there is a limitation in Windows XP/2003 and earlier that prevents the IDS filewatch policy from seeing the user, so users who made the changes will only be reported on Windows 7/2008 and later. 

Applies To

Windows