Event ID: 5142

A network share object was added

A network share object was added.

    Security ID:        %1
    Account Name:       %2
    Account Domain:     %3
    Logon ID:           %4

Share Information:  
    Share Name:         %5
    Share Path:         %6

“Share Path” should not point to system directories, such as C:\Windows or C:\, or to critical local folders which contain private or high value information. If the "Share Path" points to these locations it can indicate malicious activity.

Auditing:     Always

Monitor domain controllers and high-value computers for creation of new file shares.

Volume:     Low

This event is logged when a network share is added / created.

Microsoft Documentation

Event ID - 5142

Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any DOMAIN\UserName
Account Name SubjectUserName %2 Any UserName
Account Domain SubjectDomainName %3 Any DOMAIN
Logon ID SubjectLogonId %4 Any 0x38D14
Share Name ShareName %5 Any \\*\Confidential
Share Path ShareLocalPath %6 Any C:\Payroll\Confidential

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /subcategory:"File Share"

LEFT/RIGHT arrow keys for navigation

Back to List