Event ID: 5142

A network share object was added 

A network share object was added.

Subject:
    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:           %4

Share Information:  
    Share Name:         %5
    Share Path:         %6


“Share Path” should not point to system directories, such as C:\Windows or C:\, or to critical local folders which contain private or high value information. If the "Share Path" points to these locations it can indicate malicious activity.

Auditing:     Always

Monitor domain controllers and high-value computers for creation of new file shares.


Volume:     Low


This event is logged when a network share is added / created.


Microsoft Documentation

Event ID - 5142



Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any DOMAIN\UserName
Account Name SubjectUserName %2 Any UserName
Account Domain SubjectDomainName %3 Any DOMAIN
Logon ID SubjectLogonId %4 Any 0x38D14
Share Name ShareName %5 Any \\*\Confidential
Share Path ShareLocalPath %6 Any C:\Payroll\Confidential

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"File Share"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows 7 Windows 2008 R2 Windows 8 Windows 2012 Windows 8.1 Windows 2012 R2 Windows 10 Windows 2016 Windows 2019 Windows 11 Windows 2022

Tags:
Audit Success
Audit Category:
Object Access

Audit Subcategory:
File Share
Correlated Events:
4624

LEFT/RIGHT arrow keys for navigation

Back to List