ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security monitoring dashboard showing Event Viewer with network share access logs and security events
Event ID 5143InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 5143 – Microsoft-Windows-Security-Auditing: Network Share Object Was Accessed

Event ID 5143 logs when a user or process accesses a network share object. This security audit event tracks file share access attempts for compliance and security monitoring purposes.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 5143Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 5143 represents a fundamental component of Windows security auditing infrastructure, specifically targeting network share access monitoring. When enabled, this audit event captures every attempt to access shared folders, providing administrators with comprehensive visibility into file server usage patterns and potential security incidents.

The event structure includes critical fields such as the Subject (user making the request), Object (the share being accessed), Process Information (application initiating the access), and Network Information (source IP and port). Windows evaluates share permissions and NTFS permissions separately, and Event ID 5143 specifically tracks the share-level access evaluation. This distinction is important because a user might pass share-level permissions but fail at the NTFS level, or vice versa.

In modern Windows environments running Server 2025 and Windows 11 24H2, Microsoft has enhanced the event with additional context fields and improved correlation capabilities with other security events. The event integrates seamlessly with Windows Defender for Business and Microsoft Sentinel for advanced threat detection scenarios. Organizations using Zero Trust architectures particularly value this event for continuous verification of access patterns and anomaly detection.

The performance impact of enabling Object Access auditing can be significant on high-traffic file servers, as each share access generates a log entry. Microsoft recommends careful planning of audit policies and log retention strategies to balance security visibility with system performance and storage requirements.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • User mapping a network drive to a shared folder
  • Application accessing files through UNC paths (\\server\share)
  • Windows Explorer browsing to network shares
  • Backup software connecting to file shares
  • Automated scripts or services accessing shared resources
  • Failed authentication attempts to password-protected shares
  • Administrative tools like Computer Management connecting to remote shares
  • Antivirus software scanning network-accessible folders
  • Database applications storing data on network shares
  • Print spooler accessing shared print queues
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of Event ID 5143 to understand the access pattern and identify the source.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter the log by clicking Filter Current Log in the Actions pane
  4. Enter 5143 in the Event IDs field and click OK
  5. Double-click on a recent Event ID 5143 entry to view details
  6. Examine key fields in the event description:
    • Subject: User account and SID making the request
    • Object: Share name and server information
    • Process Information: Application initiating the access
    • Network Information: Source IP address and port
    • Access Request Information: Permissions requested and access mask
  7. Note the timestamp and correlate with user activity or system processes
  8. Check if the access was successful by looking for corresponding success/failure indicators
Pro tip: Use the Details tab in Event Viewer to copy specific field values for further investigation or reporting.
02

Query Events with PowerShell for Pattern Analysis

Use PowerShell to analyze Event ID 5143 patterns and identify unusual access behavior or high-frequency sources.

  1. Open PowerShell as Administrator
  2. Query recent Event ID 5143 entries:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5143} -MaxEvents 100 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
  3. Analyze access patterns by user account:
    $events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5143} -MaxEvents 1000
$events | ForEach-Object {
    $xml = [xml]$_.ToXml()
    [PSCustomObject]@{
        TimeCreated = $_.TimeCreated
        UserName = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
        ShareName = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'ObjectName'} | Select-Object -ExpandProperty '#text'
        SourceIP = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'IpAddress'} | Select-Object -ExpandProperty '#text'
    }
} | Group-Object UserName | Sort-Object Count -Descending
  4. Identify top accessed shares:
    $events | ForEach-Object {
    $xml = [xml]$_.ToXml()
    $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'ObjectName'} | Select-Object -ExpandProperty '#text'
} | Group-Object | Sort-Object Count -Descending | Select-Object -First 10
  5. Filter events by specific time range:
    $startTime = (Get-Date).AddHours(-24)
$endTime = Get-Date
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5143; StartTime=$startTime; EndTime=$endTime}
  6. Export results to CSV for further analysis:
    $events | Export-Csv -Path "C:\Temp\ShareAccess_5143.csv" -NoTypeInformation
Warning: Querying large numbers of security events can impact system performance. Use time filters and MaxEvents parameter to limit results.
03

Configure Audit Policy Settings

Properly configure Object Access auditing to ensure Event ID 5143 is generated with appropriate detail levels.

  1. Open Local Security Policy by running secpol.msc or use Group Policy Management for domain environments
  2. Navigate to Security SettingsLocal PoliciesAudit Policy
  3. Double-click Audit object access
  4. Enable both Success and Failure auditing
  5. For more granular control, use Advanced Audit Policy:
    auditpol /set /subcategory:"File Share" /success:enable /failure:enable
  6. Verify current audit settings:
    auditpol /get /subcategory:"File Share"
  7. Configure specific share auditing using PowerShell:
    # Enable auditing on a specific share
$shareName = "SharedDocs"
$share = Get-SmbShare -Name $shareName
Set-SmbShare -Name $shareName -FolderEnumerationMode AccessBased
  8. Set up System Access Control Lists (SACL) for detailed file access auditing:
    # Configure SACL for a shared folder
$folderPath = "C:\SharedDocs"
$auditRule = New-Object System.Security.AccessControl.FileSystemAuditRule("Everyone", "FullControl", "ContainerInherit,ObjectInherit", "None", "Success,Failure")
$acl = Get-Acl $folderPath
$acl.SetAuditRule($auditRule)
Set-Acl -Path $folderPath -AclObject $acl
  9. Test the configuration by accessing the share and verifying Event ID 5143 generation
Pro tip: Use Group Policy Preferences to deploy consistent audit settings across multiple servers in your domain.
04

Implement Log Filtering and Monitoring

Set up automated monitoring and filtering for Event ID 5143 to manage high-volume environments and detect security incidents.

  1. Create a custom Event Viewer view for focused monitoring:
    • In Event Viewer, right-click Custom Views and select Create Custom View
    • Select By log and choose Security
    • Enter 5143 in Event IDs field
    • Add additional filters like specific users or time ranges
    • Save the view with a descriptive name like "Share Access Monitoring"
  2. Configure Windows Event Forwarding (WEF) for centralized logging:
    # On the collector server
wecutil qc /q
# Create subscription for Event ID 5143
wecutil cs ShareAccessSubscription.xml
  3. Set up PowerShell-based monitoring script:
    # Monitor for suspicious share access patterns
$suspiciousIPs = @("192.168.1.100", "10.0.0.50")
$events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5143} -MaxEvents 50

foreach ($event in $events) {
    $xml = [xml]$event.ToXml()
    $sourceIP = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'IpAddress'} | Select-Object -ExpandProperty '#text'
    
    if ($sourceIP -in $suspiciousIPs) {
        Write-Warning "Suspicious access from $sourceIP at $($event.TimeCreated)"
        # Send alert or log to SIEM
    }
}
  4. Configure Task Scheduler for automated monitoring:
    # Create scheduled task to run monitoring script
$action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\MonitorShareAccess.ps1"
$trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 15)
$principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount
Register-ScheduledTask -TaskName "ShareAccessMonitor" -Action $action -Trigger $trigger -Principal $principal
  5. Implement log rotation and archival:
    # Configure Security log size and retention
Limit-EventLog -LogName Security -MaximumSize 512MB -OverflowAction OverwriteAsNeeded
Warning: High-frequency Event ID 5143 generation can fill security logs quickly. Implement proper log management and consider using Windows Event Forwarding for centralized collection.
05

Advanced Forensic Analysis and Correlation

Perform detailed forensic analysis of Event ID 5143 for security investigations and compliance reporting.

  1. Export security logs for offline analysis:
    # Export Security log with Event ID 5143 to EVTX format
wevtutil epl Security C:\Forensics\Security_5143_$(Get-Date -Format 'yyyyMMdd').evtx "/q:*[System[(EventID=5143)]]"

# Convert to CSV for analysis tools
Get-WinEvent -Path "C:\Forensics\Security_5143_*.evtx" | Export-Csv -Path "C:\Forensics\ShareAccess_Analysis.csv" -NoTypeInformation
  2. Correlate with other security events for comprehensive timeline:
    # Correlate Event ID 5143 with logon events (4624, 4625)
$timeWindow = (Get-Date).AddHours(-2)
$shareEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5143; StartTime=$timeWindow}
$logonEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624,4625; StartTime=$timeWindow}

# Create correlation timeline
$correlatedEvents = @()
foreach ($shareEvent in $shareEvents) {
    $xml = [xml]$shareEvent.ToXml()
    $userName = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
    $sourceIP = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'IpAddress'} | Select-Object -ExpandProperty '#text'
    
    $relatedLogon = $logonEvents | Where-Object {
        $logonXml = [xml]$_.ToXml()
        $logonUser = $logonXml.Event.EventData.Data | Where-Object {$_.Name -eq 'TargetUserName'} | Select-Object -ExpandProperty '#text'
        $logonIP = $logonXml.Event.EventData.Data | Where-Object {$_.Name -eq 'IpAddress'} | Select-Object -ExpandProperty '#text'
        
        $logonUser -eq $userName -and $logonIP -eq $sourceIP -and 
        [Math]::Abs(($_.TimeCreated - $shareEvent.TimeCreated).TotalMinutes) -lt 30
    }
    
    if ($relatedLogon) {
        $correlatedEvents += [PSCustomObject]@{
            ShareAccessTime = $shareEvent.TimeCreated
            LogonTime = $relatedLogon.TimeCreated
            UserName = $userName
            SourceIP = $sourceIP
            ShareName = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'ObjectName'} | Select-Object -ExpandProperty '#text'
        }
    }
}
  3. Generate compliance reports:
    # Create detailed access report for compliance
$reportData = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5143} -MaxEvents 10000 | ForEach-Object {
    $xml = [xml]$_.ToXml()
    [PSCustomObject]@{
        Timestamp = $_.TimeCreated
        EventID = $_.Id
        UserName = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
        UserDomain = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectDomainName'} | Select-Object -ExpandProperty '#text'
        ShareName = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'ObjectName'} | Select-Object -ExpandProperty '#text'
        SourceIP = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'IpAddress'} | Select-Object -ExpandProperty '#text'
        AccessMask = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'AccessMask'} | Select-Object -ExpandProperty '#text'
        ProcessName = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'ProcessName'} | Select-Object -ExpandProperty '#text'
    }
}

# Export to Excel-compatible format
$reportData | Export-Csv -Path "C:\Reports\ShareAccess_Compliance_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation
  4. Analyze access patterns for anomaly detection:
    # Detect unusual access patterns
$baselineHours = 24 * 7  # One week baseline
$baselineEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5143; StartTime=(Get-Date).AddHours(-$baselineHours)}

# Calculate normal access frequency per user
$userBaseline = $baselineEvents | ForEach-Object {
    $xml = [xml]$_.ToXml()
    $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
} | Group-Object | ForEach-Object {
    [PSCustomObject]@{
        UserName = $_.Name
        AverageAccessPerHour = $_.Count / $baselineHours
    }
}

# Compare current hour against baseline
$currentHourEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5143; StartTime=(Get-Date).AddHours(-1)}
$currentHourAccess = $currentHourEvents | ForEach-Object {
    $xml = [xml]$_.ToXml()
    $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
} | Group-Object

foreach ($user in $currentHourAccess) {
    $baseline = $userBaseline | Where-Object {$_.UserName -eq $user.Name}
    if ($baseline -and $user.Count -gt ($baseline.AverageAccessPerHour * 3)) {
        Write-Warning "Anomalous access detected for user $($user.Name): $($user.Count) accesses in last hour (baseline: $([math]::Round($baseline.AverageAccessPerHour, 2)))"
    }
}
  5. Integrate with SIEM or security tools:
    # Send high-priority events to SIEM via syslog
function Send-SyslogMessage {
    param($Message, $Server, $Port = 514)
    $udpClient = New-Object System.Net.Sockets.UdpClient
    $bytes = [System.Text.Encoding]::UTF8.GetBytes($Message)
    $udpClient.Send($bytes, $bytes.Length, $Server, $Port)
    $udpClient.Close()
}

# Monitor for after-hours access
$afterHoursEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5143; StartTime=(Get-Date).AddHours(-1)} | Where-Object {
    $hour = $_.TimeCreated.Hour
    $hour -lt 7 -or $hour -gt 19  # Outside 7 AM - 7 PM
}

foreach ($event in $afterHoursEvents) {
    $xml = [xml]$event.ToXml()
    $message = "ALERT: After-hours share access by $($xml.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text') at $($event.TimeCreated)"
    Send-SyslogMessage -Message $message -Server "siem.company.com"
}
Pro tip: Use Windows Performance Toolkit (WPT) and Event Tracing for Windows (ETW) for real-time monitoring of high-frequency share access events without impacting system performance.

Overview

Event ID 5143 fires whenever a user or process attempts to access a network share object on a Windows system. This security audit event is part of Microsoft's comprehensive file and folder access auditing framework, designed to track who accesses shared resources and when. The event captures detailed information about the accessing user, the target share, and the type of access requested.

This event appears in the Security log when Object Access auditing is enabled through Group Policy or local security policy. Windows generates 5143 events for both successful and failed share access attempts, making it valuable for security monitoring, compliance reporting, and troubleshooting access issues. The event provides granular details including the user's security identifier (SID), the share name, access mask, and the process responsible for the access attempt.

System administrators commonly encounter this event in enterprise environments where file share monitoring is critical for data loss prevention, compliance with regulations like SOX or HIPAA, and forensic investigations. The frequency of these events can be high in busy file server environments, requiring proper log management and filtering strategies.

Frequently Asked Questions

What does Event ID 5143 mean and when does it appear?+
Event ID 5143 indicates that a network share object was accessed on a Windows system. It appears in the Security log whenever a user or process attempts to connect to or access a shared folder, provided Object Access auditing is enabled. The event captures both successful and failed access attempts, including details about the user, the share name, source IP address, and the type of access requested. This event is essential for monitoring file server activity, compliance reporting, and security investigations in enterprise environments.
How do I enable Event ID 5143 logging if it's not appearing?+
To enable Event ID 5143 logging, you must configure Object Access auditing through Local Security Policy or Group Policy. Navigate to Security Settings → Local Policies → Audit Policy and enable 'Audit object access' for both Success and Failure. For more granular control, use the command 'auditpol /set /subcategory:"File Share" /success:enable /failure:enable'. Additionally, ensure that the shares you want to monitor have appropriate System Access Control Lists (SACLs) configured. Without proper audit policy settings, Windows will not generate these events even when share access occurs.
Can Event ID 5143 impact system performance on busy file servers?+
Yes, Event ID 5143 can significantly impact performance on high-traffic file servers because each share access generates a log entry. In environments with thousands of daily share accesses, the Security log can grow rapidly and consume substantial disk I/O and storage resources. To mitigate performance impact, consider implementing selective auditing using Group Policy filtering, increasing Security log size limits, configuring log rotation policies, and using Windows Event Forwarding to centralize logging on dedicated collector servers. Monitor system performance after enabling auditing and adjust policies as needed.
How can I filter Event ID 5143 to show only suspicious or unauthorized access attempts?+
Filter Event ID 5143 events by creating custom PowerShell queries that focus on specific criteria such as after-hours access, access from unusual IP addresses, or high-frequency access patterns. Use Get-WinEvent with FilterHashtable to query by time ranges, then parse the XML event data to extract user names, source IPs, and share names. Create baseline access patterns for normal user behavior and alert on deviations. You can also filter by specific shares containing sensitive data, failed access attempts, or access from non-domain computers. Implement automated monitoring scripts that run periodically to identify anomalous patterns.
What's the difference between Event ID 5143 and other file access events like 4663?+
Event ID 5143 specifically tracks network share access at the share level, while Event ID 4663 tracks individual file and folder access within those shares. Event 5143 occurs when a user connects to or accesses a share (like \\server\shared), capturing share-level permissions evaluation. Event 4663 fires for each individual file or folder accessed within that share, capturing NTFS-level permissions. Event 5143 provides broader access patterns and is useful for monitoring share usage, while 4663 offers granular file-level auditing. For comprehensive monitoring, you typically need both events enabled, but be aware that 4663 generates significantly more log entries than 5143.
Documentation

References (2)

1
Microsoft Learn - Audit File Share AccessOfficial Microsoft documentation covering file share access auditing configuration and Event ID 5143 details.https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-share
2
Windows Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including Object Access category events.https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-5143#security-auditing#file-share-monitoring

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...