Auditing Shadow Copy Activity - Creation not logged


I use Change Auditor v6.9.2.

Regarding common attacks on Active Directory(AD), I would like to know when a Shadow Copy(SC) is created/deleted on my Domain Controller(DC).
A backup, exploiting SC, is realize every days on my DC so I can check results of my configuration every days.


Actually I use "Exclude Account" modules to Auditing my DC as you can see below :

I activated "Shadow Copy Created/Deleted/Rolled Back" in "Auditing/Audit Events" menu :

This configuration give me alerts on SC Deleted but never on SC Created.

I tried to add the File System auditing module but it didn't works better and SC Deleted events disappeared when File System module is activate.


Do you know how to properly auditing SC Activity ?
Did I miss an option or misunderstanding something about SC ?

Thanks for your help.

  • Hi Adrien,

    This appears to be a known issue. I am investigating further and will provide another update soon.

  • In reply to Chris.Hood:

    Hi Adrien,

    As mentioned it seems this is a known issue. I have included the defect details below.

    Defect ID 21826: File system auditing Shadow copy events missing or have wrong value recorded for Path

    There is no ETA available at the moment when this issue will be resolved. I would advise to open a Support case for further investigation if desired.

  • In reply to Chris.Hood:

    Hi Chris,

    Thank you for your answer.
    I will then open a Support case.