Skip to main content

This script uses the .net FileSystemWatcher class to subscribe to create, change and delete events on files or folders in the NTFS filesystem. It can be used to monitor a folder or folders, and can be modified to perform any action upon the triggering of these events.

#
# Powershell FileSystemWatcher
# By BigTeddy 05 September 2011
#
# This script uses the .NET FileSystemWatcher class to monitor file events in folder(s).
# The advantage of this method over using WMI eventing is that this can monitor sub-folders.
# The -Action parameter can contain any valid Powershell commands.  I have just included two for example.
# The script can be set to a wildcard filter, and IncludeSubdirectories can be changed to $true.
# You need not subscribe to all three types of event.  All three are shown for example.
#
# https://gallery.technet.microsoft.com/scriptcenter/Powershell-FileSystemWatche-dfd7084b
# Version 1.1
#

$folder = 'c:\scripts\test' # Enter the root path you want to monitor.
$filter = '*.*'  # You can enter a wildcard filter here.
$outlog - 'c:\scripts\filechange\outlog.txt' # logfile

# In the following line, you can change 'IncludeSubdirectories to $true if required.
$fsw = New-Object IO.FileSystemWatcher $folder, $filter -Property @{
    IncludeSubdirectories = $false;NotifyFilter = [IO.NotifyFilters]'FileName, LastWrite'
}

# Here, all three events are registerd. You need only subscribe to events that
# you need:

Register-ObjectEvent $fsw Created -SourceIdentifier FileCreated -Action
{
    $name = $Event.SourceEventArgs.Name
    $changeType = $Event.SourceEventArgs.ChangeType
    $timeStamp = $Event.TimeGenerated
    Write-Host "The file '$name' was $changeType at $timeStamp" -fore green
    Out-File -FilePath $outlog -Append -InputObject "The file '$name' was $changeType at $timeStamp"
}

Register-ObjectEvent $fsw Deleted -SourceIdentifier FileDeleted -Action
{
    $name = $Event.SourceEventArgs.Name
    $changeType = $Event.SourceEventArgs.ChangeType
    $timeStamp = $Event.TimeGenerated
    Write-Host "The file '$name' was $changeType at $timeStamp" -fore red
    Out-File -FilePath $outlog -Append -InputObject "The file '$name' was $changeType at $timeStamp"
}

Register-ObjectEvent $fsw Changed -SourceIdentifier FileChanged -Action
{
    $name = $Event.SourceEventArgs.Name
    $changeType = $Event.SourceEventArgs.ChangeType
    $timeStamp = $Event.TimeGenerated
    Write-Host "The file '$name' was $changeType at $timeStamp" -fore white
    Out-File -FilePath $outlog -Append -InputObject "The file '$name' was $changeType at $timeStamp"
}

# To stop the monitoring, run the following commands:
# Unregister-Event FileDeleted
# Unregister-Event FileCreated
# Unregister-Event FileChanged