SOC Event Lookup
Event ID 5145FileShareP2

Windows Event ID 5145: A network share object was checked for access

Windows Security Event ID 5145 records that Windows evaluated a client's access request against a network share object, logging the share name, relative target path, client identity, source IP, and the access mask requested or denied.

Applicable version
Windows Server 2008 R2 and later
Last reviewed
2026-07-12

Trigger Scenarios

This event fires for every SMB file or directory access check on audited shares. It is extremely high-volume on file servers and is usually filtered in production to administrative shares (ADMIN$, C$, IPC$), failure events, or specific high-value share paths. Attack-relevant scenarios include lateral movement via PsExec or Impacket, ransomware staging, and credential-file access via SYSVOL.

Key Fields

Share Name

The UNC name of the accessed share. ADMIN$, C$, and IPC$ are administrative shares used by remote management protocols and lateral movement tools; access to these by non-administrative accounts or from unusual sources is a T1021.002 indicator.

Relative Target Name

The path to the specific file or directory within the share. A RelativeTargetName ending in .exe or .dll under ADMIN$ or C$ is the PsExec/Impacket binary-staging pattern for lateral movement. A path like Policies\...\Groups.xml under SYSVOL indicates Group Policy Preferences credential harvesting.

Access Mask

Bitmask of the requested operations. Key values: 0x2 (WriteData/AddFile) means write access — the attacker is dropping a file; 0x10000 (DELETE) means deletion; 0x40000 (WRITE_DAC) and 0x80000 (WRITE_OWNER) mean ACL modification. Microsoft recommends alerting on these values on failure events particularly for WriteData, AppendData, WriteEA, DeleteChild, WriteAttributes, DELETE, WRITE_DAC, and WRITE_OWNER.

Network Information\Source Address / Source Port

The IP address and port of the client. A source IP not in the expected administrative subnet accessing ADMIN$ or C$ is a concrete indicator of unauthorized lateral movement rather than routine administration.

Common False Positives

  • Backup agents, antivirus scanners, and SCCM/Intune management traffic legitimately access administrative shares at high frequency.
  • DFS replication and Windows Update processes access specific share paths under ADMIN$.
  • Help-desk remote support tools that use ADMIN$ for file staging during troubleshooting.

Related Events

MITRE ATT&CK Mapping

  • T1021.002Remote Services: SMB/Windows Admin Shares

Detection Notes

Access Mask 0x2 (WriteData) against Share Name containing ADMIN$ and a Relative Target Name ending in .exe or .dll is the binary-staging pattern for T1021.002 lateral movement: PsExec uploads a service binary to ADMIN$ before creating a service on the target. Impacket's psexec.py additionally writes named pipes with predictable RelativeTargetName values (Remcom_Communication, RemCom_stderrt, RemCom_stdoutt) under IPC$ — alert on those strings regardless of Access Mask. For failure events, Microsoft recommends monitoring any 5145 failure involving Access Mask bits 0x2 (WriteData), 0x4 (AppendData), 0x10 (WriteEA), 0x40 (DeleteChild), 0x100 (WriteAttributes), 0x10000 (DELETE), 0x40000 (WRITE_DAC), or 0x80000 (WRITE_OWNER) — these operations on a denied share indicate an account probing access boundaries rather than routine reads. Correlate the Source Address and Subject Logon ID with the originating 4624 Type 3 logon for the same session.

Microsoft Sentinel KQL
SecurityEvent
| where EventID == 5145
| where ShareName has_any ("ADMIN$", "C$", "IPC$")
| where AccessMask has_any ("0x2", "0x10000")
| project TimeGenerated, Computer, SubjectUserName, IpAddress, ShareName, RelativeTargetName, AccessMask, Keywords
Splunk SPL
index=wineventlog EventCode=5145
| search ShareName IN ("*ADMIN$*", "*C$*", "*IPC$*") AccessMask IN ("0x2", "0x10000")
| table _time, host, SubjectUserName, IpAddress, ShareName, RelativeTargetName, AccessMask
Sample Log
Subject:
  Security ID: CORP\jsmith
  Account Name: jsmith
  Account Domain: CORP
  Logon ID: 0x5BE120
Network Information:
  Source Address: 10.10.20.55
  Source Port: 49155
Share Information:
  Share Name: \\DC01\ADMIN$
  Share Path: C:\Windows
  Relative Target Name: PSEXESVC.exe
Access Information:
  Access Mask: 0x2
  Accesses: WriteData (or AddFile)

Source