As the title says, does Windows (10/Anniversary/Creators Update) log the creation of Compressed Folders or Zip Files? Is this tracked in Event Viewer, or any debug log?
An employee had attempted to create a zip file, but evidently missed a file. This has become an issue due to missing a deadline due to the file being absent. Need to see if this was an issue of user error.
No, Event Viewer will not show this. Event Viewer maintains logs about program, security, and system events on your computer, not user actions. See https://technet.microsoft.com/en-us/library/cc938674.aspx for more info.
As far as I know there is no (native) Windows feature that will allow you to see what files were added to a zipped folder. There is Windows security auditing, but I don't think it provides that level of user activity granularity. See https://technet.microsoft.com/en-us/library/dn319078(v=ws.11).aspx:
Security auditing is a powerful tool to help maintain the security of an enterprise. Auditing can be used for a variety of purposes, including forensic analysis, regulatory compliance, monitoring user activity, and troubleshooting. Industry regulations in various countries or regions require enterprises to implement a strict set of rules related to data security and privacy. Security audits can help implement such policies and prove that these policies have been implemented. Also, security auditing can be used for forensic analysis, to help administrators detect anomalous behavior, to identify and mitigate gaps in security policies, and to deter irresponsible behavior by tracking critical user activities.
Only suggestion I have for you is, If you have Shadow Copy enabled, you can try looking at the snapshot of the folder that was zipped, to see if it contained the file in question when the employee created the zip file.
As wysiwyg's answer says, there is no event log that contains information on created ZIP files unless there was auditing in place for that directory, in which case you could theoretically look at which files were read right before the ZIP was created. I tested this by creating a ZIP file using Send to | Compressed (zipped) folder and consulting the main event logs, which had nothing about the incident. There are plenty of other smaller logs under Applications and Services Logs, but they are also not helpful. To prove that, we can use PowerShell!
Get-WinEvent -ListLog * | ? { $_.RecordCount -gt 0 } | % { Get-WinEvent -LogName $_.LogName -MaxEvents 100 } | ? { $_.ToXml().Contains('.zip') }
If run as administrator, this looks through every non-empty event log, gets the last hundred events, and returns any that include a mention of a .zip file. That produced zero results for me.
I was also unable to find any log files on disk that were updated during the incident. I checked that by watching for file system activity from explorer.exe using Process Monitor. It generated a boatload of events, far too many to look through manually, so I exported the log as a CSV. To get a list of the unique paths accessed (since the vast majority of events had to do with only a few paths), we can again use PowerShell:
Import-Csv C:\path\to\report.csv | group Path | select -ExpandProperty Name
Looking through the list reveals nothing interesting, only files that were involved in the zipping or were just touched by background processes.
If the ZIP file still exists on the disk, we can more or less prove that it was created when it claims to be (relevant since creation times can be falsified). That information is held in the Windows search index, which we can query using - you guessed it - PowerShell!
$sql = "select System.ItemName, System.DateCreated from SYSTEMINDEX where System.ItemName like '%.zip'"
$connector = [System.Data.OleDb.OleDbDataAdapter]::new($sql, "provider=search.collatordso;extended properties='application=windows';")
$data = [System.Data.DataSet]::new()
$connector.Fill($data)
$data.Tables[0]
(Based on code in this article by Russell Smith.) It produces the path and creation time (in UTC, not the system time zone) for each ZIP in the index. Alas, that doesn't tell what was included in the ZIP archive, but it's the best we can do.
