How to Check Who Modified a File Last in Windows Using PowerShell

by

Recently, I was working on a project where I needed to track down who made changes to some important configuration files on our server. While Windows Explorer displays the date a file was last modified, it doesn’t indicate who made the modification. But you can use PowerShell to find out.

In this tutorial, I will show you several methods to check who last modified a file using PowerShell in Windows.

Method 1: Using Get-Acl to View File Security Information

PowerShell’s Get-Acl cmdlet is a powerful way to examine a file’s security information, which includes details about who modified it.

Here’s how to use it:

  1. Open PowerShell as an administrator
  2. Navigate to the directory containing your file
  3. Run the Get-Acl command with the file path
Get-Acl "C:\Reports\QuarterlySales.xlsx" | Select-Object Owner, AccessToString

This command retrieves the access control list for the file and displays the owner and access permissions. The owner is often (but not always) the last person who modified the file.

Here is the output in the screenshot below:

check who modified a file last in windows powershell

However, this method only shows the current owner, not necessarily the last modifier.

Check out Find Files Modified Between Dates Using PowerShell

Method 2: Using Get-ChildItem with LastWriteTime Property

PowerShell’s Get-ChildItem cmdlet (often aliased as ‘dir’ or ‘ls’) can be used with the LastWriteTime property to find when a file was last modified.

Get-ChildItem "C:\Reports\QuarterlySales.xlsx" | Select-Object Name, LastWriteTime

This displays the file name and the date it was last modified, but not the name of the person who modified. This method is useful when you need to check modification timestamps quickly.

For those managing multiple files, you can sort the results by the LastWriteTime property to find the most recently modified file:

Get-ChildItem "C:\Reports\" | Sort-Object LastWriteTime -Descending | Select-Object Name, LastWriteTime -First 5

This displays the 5 most recently modified files in the specified directory.

Check out Show Progress When Copying Files with PowerShell Copy-Item

Method 3: Using File System Auditing and Security Logs

To truly track who modified a file, you need to set up file system auditing first. This is a more comprehensive approach.

Step 1: Enable File System Auditing

  1. Right-click on the file or folder, Select Properties
  2. Go to the Security tab, Click Advanced
  3. Select the Auditing tab
  4. Click Add to add a new auditing entry
  5. Choose “Everyone” or specific users to audit
  6. Select “Success” for “Write attributes” and “Write extended attributes”
  7. Click OK to save

Step 2: Check Security Logs with PowerShell

After enabling auditing, you can use PowerShell to check the security logs:

Get-WinEvent -FilterHashtable @{
    LogName = 'Security'
    ID = 4663  # File system access event ID
    StartTime = (Get-Date).AddDays(-7)  # Check past week
} | Where-Object {$_.Message -like "*C:\Reports\QuarterlySales.xlsx*"} | 
Select-Object TimeCreated, Message

This command retrieves security events related to our file from the past week. You’ll need to run it as an administrator.

Read Create a Folder with Today’s Date and Copy Files to it using PowerShell

Method 4: Using PowerShell to Find Files Modified by a Specific User

If you need to find all files modified by a particular user in PowerShell, you can use a combination of Get-ChildItem and Get-Acl:

$user = "DOMAIN\JohnDoe"
Get-ChildItem "C:\Reports\" -Recurse | ForEach-Object {
    $acl = Get-Acl $_.FullName
    if ($acl.Owner -eq $user) {
        $_ | Select-Object FullName, LastWriteTime
    }
}

This script checks all files in the specified directory (including subdirectories) and lists those owned by the specified user.

Method 5: Find Files Modified Between Specific Dates

Sometimes you need to narrow down files modified within a certain timeframe to identify who made changes. You can find files modified between specific dates with:

$startDate = Get-Date "2025-05-01"
$endDate = Get-Date "2025-05-31"

Get-ChildItem "C:\Reports\" -Recurse | 
Where-Object {($_.LastWriteTime -ge $startDate) -and ($_.LastWriteTime -le $endDate)} |
Select-Object FullName, LastWriteTime

This is particularly useful when investigating changes made during a specific period, such as after a system update or during a security incident.

Check out PowerShell Copy-item Create Folder If Not Exist

Method 6: Create a Detailed Report with Custom Formatting

For a more comprehensive report, we can combine several techniques to create a detailed analysis of file modifications. Here is the complete PowerShell script.

$files = Get-ChildItem "C:\Reports\" -Recurse -File
$results = foreach ($file in $files) {
    $acl = Get-Acl $file.FullName
    [PSCustomObject]@{
        FileName = $file.Name
        Path = $file.DirectoryName
        LastModified = $file.LastWriteTime
        Owner = $acl.Owner
        Size = "{0:N2} KB" -f ($file.Length / 1KB)
    }
}

$results | Format-Table -AutoSize
# Optionally export to CSV
$results | Export-Csv -Path "C:\Reports\FileModificationReport.csv" -NoTypeInformation

This script creates a custom report showing filename, path, last modification time, owner, and file size. It then displays the results in a table and optionally exports them to a CSV file for further analysis.

Method 7: Get the Most Recently Modified File in a Directory

If you’re trying to identify which file was changed most recently, you can get the last modified file in a directory with this simple command:

Get-ChildItem "C:\Reports\" -File | Sort-Object LastWriteTime -Descending | Select-Object -First 1 |
Select-Object Name, LastWriteTime, @{Name="Owner";Expression={(Get-Acl $_.FullName).Owner}}

This command gets all files in the specified directory, sorts them by last write time in descending order, selects only the first one (most recently modified), and displays its name, last modification time, and owner.

Read Copy and Rename Files in PowerShell

Troubleshooting Common Issues

If you are working with PowerShell, you might face some errors. I have encountered some issues and fixed those errors.

Issue 1: Access Denied Errors

If you encounter “Access Denied” errors, make sure you’re running PowerShell as an administrator. Additionally, check that your user account has permissions to access the security logs and file attributes.

Issue 2: Security Events Not Appearing

If you’ve set up auditing but don’t see any events, verify that:

  • Auditing is properly configured
  • The event ID you’re filtering for is correct
  • You have sufficient disk space for security logs

Issue 3: Performance Issues with Large Directories

When working with large directories, recursive operations can be slow. Consider limiting your search scope:

# Instead of
Get-ChildItem "C:\Reports\" -Recurse

# Try
Get-ChildItem "C:\Reports\" -Recurse -Depth 2 -File

This limits the recursion depth and only returns files, not directories.

I hope you found these methods helpful for tracking down who modified files on your Windows systems. Whether you’re investigating a security incident, tracking down unauthorized changes, or simply trying to determine who made modifications to your servers, PowerShell offers various methods to identify the last user to modify a file in Windows.

If you have any questions or suggestions, please feel free to share them in the comments below.

You may also like the following tutorials:

100 PowerShell cmdlets download free

100 POWERSHELL CMDLETS E-BOOK

FREE Download an eBook that contains 100 PowerShell cmdlets with complete script and examples.