ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security monitoring dashboard displaying Event ID 5144 network share access logs
Event ID 5144InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 5144 – Microsoft-Windows-Security-Auditing: Network Share Object Access Attempted

Event ID 5144 logs when a user or process attempts to access a network share object. This security audit event helps track file share access attempts for compliance and security monitoring.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 202612 min read 0
Event ID 5144Microsoft-Windows-Security-Auditing 5 methods 12 min
Event Reference

What This Event Means

Event ID 5144 represents a fundamental component of Windows security auditing, specifically designed to track network share object access attempts across domain and workgroup environments. When a user, service, or application attempts to access resources through SMB/CIFS protocols, Windows generates this event to provide detailed forensic information about the access attempt.

The event structure includes comprehensive metadata: the security identifier (SID) of the requesting account, the target share path, requested access permissions (read, write, delete, etc.), and the outcome of the access attempt. This granular detail enables security teams to reconstruct user activity timelines, identify suspicious access patterns, and maintain compliance with regulatory requirements like SOX, HIPAA, or GDPR.

In 2026's threat landscape, Event ID 5144 has become increasingly important for detecting advanced persistent threats (APTs) that rely on lateral movement through network shares. Modern security information and event management (SIEM) systems heavily rely on these events to establish baseline user behavior and detect anomalies that might indicate compromised accounts or insider threats.

The event's integration with Windows Defender for Business and Microsoft Sentinel provides enhanced correlation capabilities, allowing organizations to automatically flag unusual share access patterns and trigger incident response workflows when suspicious activity is detected.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • User accessing files or folders on network shares through File Explorer or mapped drives
  • Applications or services connecting to shared resources for data processing or backup operations
  • Automated scripts or scheduled tasks accessing network shares for file transfers or synchronization
  • Administrative tools performing maintenance operations on shared directories
  • Malware or unauthorized software attempting to access sensitive shared resources
  • Failed authentication attempts when accessing password-protected shares
  • Group Policy processing accessing SYSVOL or NETLOGON shares during startup
  • Backup software connecting to network shares for data protection operations
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the specific details of Event ID 5144 to understand the access attempt context.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 5144 by right-clicking the Security log and selecting Filter Current Log
  4. In the filter dialog, enter 5144 in the Event IDs field and click OK
  5. Double-click on a 5144 event to view detailed information including:
    • Subject: User account that attempted access
    • Object: Target share path and resource name
    • Access Request Information: Permissions requested
    • Process Information: Application that initiated the request
  6. Note the Access Mask value to understand specific permissions requested
  7. Check the Result Code to determine if access was granted or denied
Pro tip: Use the Details tab in XML view to see all event properties for advanced analysis and correlation with other security events.
02

Query Events with PowerShell for Pattern Analysis

Use PowerShell to analyze Event ID 5144 patterns and identify trends or suspicious activity.

  1. Open PowerShell as Administrator
  2. Query recent 5144 events with basic filtering:
    Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5144} -MaxEvents 50 | Select-Object TimeCreated, Id, LevelDisplayName, Message
  3. Filter events by specific user account:
    $Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5144} -MaxEvents 1000
$Events | Where-Object {$_.Message -like '*DOMAIN\username*'} | Select-Object TimeCreated, Message
  4. Analyze access patterns by share path:
    $ShareAccess = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5144} -MaxEvents 500
$ShareAccess | ForEach-Object {
    if ($_.Message -match 'Object Name:\s+(.+)') {
        [PSCustomObject]@{
            Time = $_.TimeCreated
            SharePath = $matches[1].Trim()
            User = if ($_.Message -match 'Account Name:\s+(.+)') { $matches[1].Trim() }
        }
    }
} | Group-Object SharePath | Sort-Object Count -Descending
  5. Export results for further analysis:
    $Results | Export-Csv -Path "C:\Temp\ShareAccess_5144.csv" -NoTypeInformation
Warning: Large Security logs can impact PowerShell performance. Use -MaxEvents parameter to limit results and consider filtering by date range for better performance.
03

Configure Object Access Auditing Policy

Ensure proper audit policy configuration to capture comprehensive Event ID 5144 data.

  1. Open Group Policy Management Console or Local Group Policy Editor (gpedit.msc)
  2. Navigate to Computer ConfigurationWindows SettingsSecurity SettingsAdvanced Audit Policy ConfigurationAudit Policies
  3. Expand Object Access and configure the following policies:
    • Audit File Share: Set to Success and Failure
    • Audit File System: Set to Success and Failure
    • Audit Handle Manipulation: Set to Success (optional)
  4. Apply the policy using PowerShell for immediate effect:
    auditpol /set /subcategory:"File Share" /success:enable /failure:enable
auditpol /set /subcategory:"File System" /success:enable /failure:enable
  5. Verify current audit settings:
    auditpol /get /subcategory:"File Share"
auditpol /get /subcategory:"File System"
  6. Configure specific share auditing by setting SACL (System Access Control List) on target shares:
    icacls "\\server\share" /grant "Everyone:(OI)(CI)(F)" /audit "Everyone:(OI)(CI)(F)"
  7. Force Group Policy update:
    gpupdate /force
Pro tip: Enable audit policies gradually in production environments to avoid overwhelming the Security log with excessive events.
04

Implement Advanced Monitoring with Windows Event Forwarding

Set up centralized collection of Event ID 5144 for enterprise-wide monitoring and analysis.

  1. Configure the Windows Event Collector service on your central logging server:
    wecutil qc /q
  2. Create a custom event subscription configuration file (ShareAccess_5144.xml):
    <Subscription xmlns="http://schemas.microsoft.com/2006/03/windows/events/subscription">
    <SubscriptionId>ShareAccess_5144</SubscriptionId>
    <SubscriptionType>SourceInitiated</SubscriptionType>
    <Description>Collect Event ID 5144 from domain computers</Description>
    <Enabled>true</Enabled>
    <Uri>http://schemas.microsoft.com/wbem/wsman/1/windows/EventLog</Uri>
    <ConfigurationMode>Custom</ConfigurationMode>
    <Query>
        <![CDATA[
        <QueryList>
            <Query Id="0">
                <Select Path="Security">*[System[EventID=5144]]</Select>
            </Query>
        </QueryList>
        ]]>
    </Query>
</Subscription>
  3. Import the subscription:
    wecutil cs ShareAccess_5144.xml
  4. Configure source computers to forward events:
    winrm quickconfig
wecutil qc
  5. Add computers to the subscription:
    wecutil ss ShareAccess_5144 /ca:"DOMAIN\Computer1$,DOMAIN\Computer2$"
  6. Verify subscription status:
    wecutil gs ShareAccess_5144
  7. Monitor forwarded events in the Forwarded Events log on the collector server
Pro tip: Use Event Forwarding templates in Windows Admin Center for simplified configuration across multiple servers.
05

Integrate with SIEM and Create Custom Detection Rules

Implement advanced threat detection by correlating Event ID 5144 with other security events in your SIEM platform.

  1. Configure your SIEM agent (Splunk Universal Forwarder, Elastic Beats, etc.) to collect Security log events:
    # Example Splunk inputs.conf configuration
[WinEventLog://Security]
disabled = false
start_from = oldest
current_only = false
checkpointInterval = 5
whitelist = 5144
  2. Create a PowerShell script for custom alerting on suspicious patterns:
    $SuspiciousPatterns = @(
    "\\.*\\ADMIN\$",
    "\\.*\\C\$",
    "\\.*\\SYSVOL"
)

$RecentEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=5144; StartTime=(Get-Date).AddHours(-1)}

foreach ($Event in $RecentEvents) {
    foreach ($Pattern in $SuspiciousPatterns) {
        if ($Event.Message -match $Pattern) {
            $Alert = @{
                Time = $Event.TimeCreated
                Computer = $Event.MachineName
                User = if ($Event.Message -match 'Account Name:\s+(.+)') { $matches[1] }
                SharePath = if ($Event.Message -match 'Object Name:\s+(.+)') { $matches[1] }
                Severity = "High"
            }
            # Send alert to SIEM or notification system
            Write-Warning "Suspicious share access detected: $($Alert | ConvertTo-Json)"
        }
    }
}
  3. Set up correlation rules in your SIEM to detect:
    • Multiple failed access attempts from the same user
    • Access to administrative shares outside business hours
    • Unusual access patterns compared to user baselines
    • Rapid sequential access to multiple shares
  4. Configure automated response actions:
    • Disable user accounts after threshold violations
    • Generate incident tickets for security team review
    • Trigger additional monitoring on affected systems
  5. Create dashboards for real-time monitoring of share access trends and anomalies
Warning: Ensure proper data retention policies are in place as Event ID 5144 can generate significant log volume in busy environments.

Overview

Event ID 5144 fires whenever Windows detects an attempt to access a network share object, including files, folders, or other resources on shared network locations. This event is part of Windows' object access auditing framework and appears in the Security log when object access auditing is enabled through Group Policy or local security policy.

The event captures critical details about share access attempts, including the user account, target share path, access permissions requested, and whether the attempt succeeded or failed. This makes it invaluable for security monitoring, compliance auditing, and troubleshooting file share access issues in enterprise environments.

Unlike basic file access events, Event ID 5144 specifically tracks network share operations, making it essential for monitoring lateral movement attempts, unauthorized access patterns, and compliance with data access policies. The event integrates with Windows' Security Audit Policy and requires proper configuration to generate meaningful logs for security teams and system administrators.

Frequently Asked Questions

What does Event ID 5144 mean and when does it appear?+
Event ID 5144 indicates that a user or process attempted to access a network share object. It appears in the Security log whenever someone tries to access files, folders, or other resources on shared network locations through SMB/CIFS protocols. The event captures both successful and failed access attempts, providing detailed information about the user account, target share path, and requested permissions. This event is essential for security monitoring and compliance auditing in enterprise environments.
How do I enable Event ID 5144 logging if it's not appearing?+
Event ID 5144 requires object access auditing to be enabled through Group Policy. Navigate to Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Object Access, then enable 'Audit File Share' for both Success and Failure. You can also use the command 'auditpol /set /subcategory:"File Share" /success:enable /failure:enable' in PowerShell. Additionally, ensure that the specific shares you want to monitor have appropriate System Access Control Lists (SACL) configured to generate audit events.
Can Event ID 5144 help detect malware or unauthorized access?+
Yes, Event ID 5144 is valuable for detecting malicious activity and unauthorized access attempts. Look for patterns such as access to administrative shares (ADMIN$, C$) outside normal business hours, rapid sequential access to multiple shares by a single user, or access attempts to sensitive shares by accounts that don't typically need those resources. When correlated with other security events like failed logons (Event ID 4625) or privilege escalation attempts, Event ID 5144 can help identify lateral movement attempts and advanced persistent threats targeting your network shares.
What information is included in Event ID 5144 and how do I interpret it?+
Event ID 5144 contains comprehensive details including the Subject (user account SID and name), Object (share path and resource name), Access Request Information (specific permissions requested like read, write, delete), Process Information (application that initiated the request), and Access Mask (hexadecimal value indicating exact permissions). The Result Code indicates whether access was granted or denied. Key fields to focus on are the Account Name, Object Name (share path), and Access Mask. Understanding these fields helps determine who accessed what resources and with what level of permissions.
How can I reduce Event ID 5144 log volume without losing security visibility?+
To manage Event ID 5144 volume while maintaining security visibility, implement selective auditing by configuring SACL only on critical shares rather than all network resources. Use Group Policy to exclude system accounts and service accounts that generate routine access events. Consider filtering out read-only access to public shares and focus on write/delete operations or access to sensitive directories. Implement log rotation policies and use Windows Event Forwarding to centralize events from multiple systems. You can also use PowerShell scripts to pre-filter events based on user accounts, time windows, or share paths before sending to your SIEM system.
Documentation

References (2)

1
Microsoft Learn - Audit File ShareOfficial Microsoft documentation covering file share auditing configuration and Event ID 5144 detailshttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-file-share
2
Windows Security Auditing Events ReferenceComprehensive guide to Windows security auditing events and policy configurationhttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-5144#security-auditing#network-shares

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...