ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security monitoring dashboard displaying Event Viewer with network share access logs in a professional SOC environment
Event ID 5140InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 5140 – Microsoft-Windows-Security-Auditing: Network Share Object Accessed

Event ID 5140 logs when a user or process accesses a network share object. This security audit event tracks file share access attempts for compliance and security monitoring purposes.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 5140Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 5140 represents a fundamental component of Windows security auditing infrastructure, specifically designed to track network share access activities. When enabled, this event generates a log entry each time a user or service account attempts to access a shared folder or file over the network. The event captures comprehensive metadata about the access attempt, including the security identifier (SID) of the accessing user, the source IP address or computer name, the target share path, and the type of access requested.

The event integrates with Windows Advanced Audit Policy Configuration, allowing administrators to fine-tune which types of object access events are logged. This granular control helps balance security monitoring needs with log volume management. The event data includes critical forensic information such as logon ID correlation, enabling administrators to trace access patterns across multiple events and build comprehensive audit trails.

In enterprise environments, Event 5140 serves as a cornerstone for data loss prevention (DLP) strategies and insider threat detection programs. The event's detailed logging capabilities enable security teams to identify unusual access patterns, detect potential data exfiltration attempts, and maintain detailed records for compliance reporting. Modern SIEM solutions heavily rely on this event type for building behavioral baselines and detecting anomalous file access activities.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • User accessing a shared folder or file over the network through SMB protocol
  • Service account or application connecting to network shares for automated processes
  • Backup software accessing shared directories for data protection operations
  • Administrative tools connecting to administrative shares like C$, ADMIN$, or IPC$
  • Mapped network drives being accessed by users or applications
  • File synchronization services accessing shared folders for replication
  • Security scanning tools enumerating network shares during vulnerability assessments
  • Malware or unauthorized tools attempting to access shared resources
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of Event ID 5140 to understand the access pattern and identify potential security concerns.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter the log by clicking Filter Current Log in the Actions pane
  4. Enter 5140 in the Event IDs field and click OK
  5. Double-click on a 5140 event to view detailed information including:
    • Subject: User account that accessed the share
    • Object: Share name and path accessed
    • Process Information: Process ID and name
    • Network Information: Source address and port
    • Access Request Information: Permissions requested
  6. Pay special attention to the Source Address field to identify the originating system
  7. Check the Access Mask value to understand what type of access was requested
Pro tip: Use the XML view tab to see raw event data, which can be helpful for automated parsing and analysis.
02

Query Events with PowerShell for Pattern Analysis

Use PowerShell to query and analyze Event ID 5140 patterns across time periods to identify trends and anomalies.

  1. Open PowerShell as Administrator
  2. Query recent 5140 events with basic filtering:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5140} -MaxEvents 100 | Select-Object TimeCreated, Id, LevelDisplayName, Message
  3. Extract specific event details for analysis:
    $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5140} -MaxEvents 500
$Events | ForEach-Object {
    $EventXML = [xml]$_.ToXml()
    $EventData = $EventXML.Event.EventData.Data
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        SubjectUserName = ($EventData | Where-Object {$_.Name -eq 'SubjectUserName'}).'#text'
        ObjectName = ($EventData | Where-Object {$_.Name -eq 'ObjectName'}).'#text'
        IpAddress = ($EventData | Where-Object {$_.Name -eq 'IpAddress'}).'#text'
        AccessMask = ($EventData | Where-Object {$_.Name -eq 'AccessMask'}).'#text'
    }
} | Format-Table -AutoSize
  4. Identify top accessing users:
    $Events | Group-Object {($_.ToXml() | Select-Xml -XPath "//Data[@Name='SubjectUserName']").Node.InnerText} | Sort-Object Count -Descending | Select-Object Name, Count
  5. Find access attempts from external IP addresses:
    $Events | Where-Object {($_.ToXml() | Select-Xml -XPath "//Data[@Name='IpAddress']").Node.InnerText -notlike '192.168.*' -and ($_.ToXml() | Select-Xml -XPath "//Data[@Name='IpAddress']").Node.InnerText -ne '-'}
Warning: Large queries can impact system performance. Use -MaxEvents parameter to limit results and consider running during off-peak hours.
03

Configure Advanced Audit Policy for Granular Control

Fine-tune Object Access auditing to control Event ID 5140 generation and reduce noise while maintaining security visibility.

  1. Open Group Policy Management Console or Local Group Policy Editor (gpedit.msc)
  2. Navigate to Computer ConfigurationWindows SettingsSecurity SettingsAdvanced Audit Policy ConfigurationAudit PoliciesObject Access
  3. Double-click Audit File Share policy
  4. Configure the policy based on your monitoring requirements:
    • Check Success to log successful share access
    • Check Failure to log failed access attempts
    • Click OK to apply changes
  5. Verify current audit settings using PowerShell:
    auditpol /get /subcategory:"File Share"
  6. For more granular control, configure specific shares for auditing:
    # Enable auditing on a specific share
$SharePath = "C:\SharedData"
$ACL = Get-Acl $SharePath
$AccessRule = New-Object System.Security.AccessControl.FileSystemAuditRule("Everyone", "FullControl", "ContainerInherit,ObjectInherit", "None", "Success,Failure")
$ACL.SetAuditRule($AccessRule)
Set-Acl $SharePath $ACL
  7. Apply Group Policy updates:
    gpupdate /force
Pro tip: Use Success auditing for compliance monitoring and Failure auditing for security incident detection. Combine both for comprehensive coverage.
04

Implement Automated Monitoring and Alerting

Set up automated monitoring for Event ID 5140 to detect suspicious access patterns and potential security incidents in real-time.

  1. Create a PowerShell script for continuous monitoring:
    # Save as Monitor-ShareAccess.ps1
param(
    [int]$MonitoringIntervalMinutes = 5,
    [string]$AlertThreshold = 50
)

while ($true) {
    $StartTime = (Get-Date).AddMinutes(-$MonitoringIntervalMinutes)
    $Events = Get-WinEvent -FilterHashtable @{
        LogName='Security'
        Id=5140
        StartTime=$StartTime
    } -ErrorAction SilentlyContinue
    
    if ($Events.Count -gt $AlertThreshold) {
        $AlertMessage = "High share access activity detected: $($Events.Count) events in last $MonitoringIntervalMinutes minutes"
        Write-EventLog -LogName Application -Source "ShareMonitor" -EventId 1001 -EntryType Warning -Message $AlertMessage
        # Add email notification or SIEM integration here
    }
    
    Start-Sleep -Seconds ($MonitoringIntervalMinutes * 60)
}
  2. Register the script as a Windows service or scheduled task:
    # Create scheduled task
$Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\Monitor-ShareAccess.ps1"
$Trigger = New-ScheduledTaskTrigger -AtStartup
$Settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable
Register-ScheduledTask -TaskName "ShareAccessMonitor" -Action $Action -Trigger $Trigger -Settings $Settings -RunLevel Highest
  3. Configure Windows Event Forwarding for centralized logging:
    # On collector server
wecutil qc /q
wecutil cs subscription.xml
  4. Create subscription XML file for Event 5140 collection:
    <Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
    <SubscriptionId>ShareAccessEvents</SubscriptionId>
    <SubscriptionType>SourceInitiated</SubscriptionType>
    <Description>Forward Event ID 5140 from domain computers</Description>
    <Enabled>true</Enabled>
    <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
    <ConfigurationMode>Normal</ConfigurationMode>
    <Query>
        <![CDATA[
        <QueryList>
            <Query Id="0">
                <Select Path="Security">*[System[(EventID=5140)]]</Select>
            </Query>
        </QueryList>
        ]]>
    </Query>
</Subscription>
Warning: Continuous monitoring scripts can consume system resources. Test thoroughly and implement appropriate throttling mechanisms.
05

Forensic Analysis and Correlation with Other Events

Perform comprehensive forensic analysis by correlating Event ID 5140 with related security events to build complete attack timelines and identify security incidents.

  1. Identify related events for correlation analysis:
    # Get logon events correlated with share access
$ShareEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5140} -MaxEvents 1000
$LogonEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624,4625} -MaxEvents 1000

# Correlate by LogonId
$CorrelatedEvents = foreach ($ShareEvent in $ShareEvents) {
    $ShareXML = [xml]$ShareEvent.ToXml()
    $LogonId = ($ShareXML.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectLogonId'}).'#text'
    
    $RelatedLogon = $LogonEvents | Where-Object {
        $LogonXML = [xml]$_.ToXml()
        ($LogonXML.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetLogonId'}).'#text' -eq $LogonId
    } | Select-Object -First 1
    
    if ($RelatedLogon) {
        [PSCustomObject]@{
            ShareAccessTime = $ShareEvent.TimeCreated
            LogonTime = $RelatedLogon.TimeCreated
            LogonId = $LogonId
            SharePath = ($ShareXML.Event.EventData.Data | Where-Object {$_.Name -eq 'ObjectName'}).'#text'
            SourceIP = ($ShareXML.Event.EventData.Data | Where-Object {$_.Name -eq 'IpAddress'}).'#text'
        }
    }
}
  2. Analyze access patterns for anomaly detection:
    # Detect unusual access times
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5140; StartTime=(Get-Date).AddDays(-30)}
$AccessTimes = $Events | ForEach-Object {
    [PSCustomObject]@{
        Hour = $_.TimeCreated.Hour
        DayOfWeek = $_.TimeCreated.DayOfWeek
        User = ($_.ToXml() | Select-Xml -XPath "//Data[@Name='SubjectUserName']").Node.InnerText
    }
}

# Find access outside business hours
$AfterHoursAccess = $AccessTimes | Where-Object {$_.Hour -lt 8 -or $_.Hour -gt 18 -or $_.DayOfWeek -in @('Saturday','Sunday')}
$AfterHoursAccess | Group-Object User | Sort-Object Count -Descending
  3. Export forensic data for external analysis:
    # Export to CSV for analysis tools
$ForensicData = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5140; StartTime=(Get-Date).AddDays(-7)} | ForEach-Object {
    $EventXML = [xml]$_.ToXml()
    $EventData = $EventXML.Event.EventData.Data
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        EventId = $_.Id
        SubjectUserName = ($EventData | Where-Object {$_.Name -eq 'SubjectUserName'}).'#text'
        SubjectDomainName = ($EventData | Where-Object {$_.Name -eq 'SubjectDomainName'}).'#text'
        ObjectName = ($EventData | Where-Object {$_.Name -eq 'ObjectName'}).'#text'
        IpAddress = ($EventData | Where-Object {$_.Name -eq 'IpAddress'}).'#text'
        IpPort = ($EventData | Where-Object {$_.Name -eq 'IpPort'}).'#text'
        AccessMask = ($EventData | Where-Object {$_.Name -eq 'AccessMask'}).'#text'
    }
}
$ForensicData | Export-Csv -Path "C:\Forensics\ShareAccess_$(Get-Date -Format 'yyyyMMdd_HHmmss').csv" -NoTypeInformation
  4. Create timeline analysis for incident response:
    # Generate timeline for specific user or IP
$TargetUser = "DOMAIN\username"
$Timeline = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624,4625,5140; StartTime=(Get-Date).AddDays(-1)} | 
    Where-Object {$_.Message -like "*$TargetUser*"} | 
    Sort-Object TimeCreated | 
    Select-Object TimeCreated, Id, LevelDisplayName, @{Name='EventType';Expression={
        switch ($_.Id) {
            4624 {'Successful Logon'}
            4625 {'Failed Logon'}
            5140 {'Share Access'}
        }
    }}, Message
$Timeline | Format-Table -Wrap
Pro tip: Combine Event 5140 analysis with network traffic logs and file access events (4656, 4658) for comprehensive incident investigation.

Overview

Event ID 5140 fires whenever a user or process accesses a network share object on a Windows system. This security audit event is part of the Object Access audit category and provides detailed information about who accessed what shared resource, when the access occurred, and from which source. The event captures both successful and failed access attempts to network shares, making it invaluable for security monitoring, compliance auditing, and forensic investigations.

This event appears in the Security log and requires Object Access auditing to be enabled through Group Policy or local security policy. The event provides granular details including the user account, source workstation, share name, and access type. System administrators use this event to track unauthorized access attempts, monitor data exfiltration, and ensure compliance with data access policies.

Event 5140 is particularly critical in environments handling sensitive data where tracking file share access is mandatory for regulatory compliance such as HIPAA, SOX, or PCI-DSS requirements.

Frequently Asked Questions

What does Event ID 5140 mean and when does it appear?+
Event ID 5140 indicates that a network share object was accessed by a user or process. It appears in the Security log whenever someone connects to a shared folder or file over the network using SMB protocol. This event requires Object Access auditing to be enabled and provides detailed information about who accessed what share, from which source, and what type of access was requested. The event is crucial for security monitoring, compliance auditing, and detecting unauthorized access to shared resources.
How do I enable Event ID 5140 logging if it's not appearing?+
To enable Event ID 5140 logging, you need to configure Object Access auditing through Group Policy. Navigate to Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Object Access, then enable 'Audit File Share' for Success and/or Failure events. You can also use the command 'auditpol /set /subcategory:"File Share" /success:enable /failure:enable' from an elevated command prompt. After enabling, run 'gpupdate /force' to apply the policy immediately.
What information is included in Event ID 5140 and how do I interpret it?+
Event ID 5140 contains comprehensive details including the Subject (user account accessing the share), Object (share name and path), Process Information (process ID and name), Network Information (source IP address and port), and Access Request Information (permissions requested via Access Mask). The Access Mask field uses hexadecimal values to indicate requested permissions: 0x1 for ReadData, 0x2 for WriteData, 0x4 for AppendData, etc. The Source Address field shows the originating system, while the Logon ID can be correlated with logon events for complete session tracking.
Can Event ID 5140 help detect security threats and how?+
Yes, Event ID 5140 is excellent for threat detection. It can identify unauthorized access attempts, unusual access patterns, and potential data exfiltration. Look for access from unexpected IP addresses, access outside business hours, multiple rapid access attempts, access to sensitive shares by unauthorized users, or access patterns that deviate from established baselines. Correlating Event 5140 with failed logon events (4625) can reveal brute force attacks, while unusual access volumes or timing can indicate automated tools or malware activity.
How can I reduce Event ID 5140 log volume while maintaining security visibility?+
To manage Event 5140 volume, implement selective auditing by configuring audit policies on specific high-value shares rather than all shares. Use Success auditing for compliance monitoring and Failure auditing for security incidents. Configure log retention policies and consider forwarding only critical events to SIEM systems. You can also exclude routine service accounts or backup processes from auditing if they create excessive noise. Use PowerShell filtering to focus on events from external IP addresses or outside business hours, and implement log rotation policies to manage storage requirements effectively.
Documentation

References (2)

1
Microsoft Learn - Advanced Security Audit Policy SettingsComprehensive guide to configuring advanced audit policies including Object Access auditing for network share monitoring.https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
2
Microsoft Security Compliance ToolkitOfficial Microsoft toolkit containing security baselines and audit policy recommendations for Windows systems.https://www.microsoft.com/en-us/download/details.aspx?id=55319
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-5140#security-auditing#network-shares

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...