EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 5145Audit SuccessSecurity

Windows Event ID 5145Network Share Object Access Checked

Logged when access is checked on a file or folder within a network share — more granular than 5140 (share level) but very high volume.

Why It Matters

Provides file-level visibility into what an account accessed within a share. Useful for data theft investigations but generates extreme log volume — typically only enable for specific sensitive shares.

Key Fields

Share NameThe parent share
Relative Target NameThe specific file or folder accessed within the share
Account NameWho accessed it

Investigation Tips

  1. 1.Only enable on shares containing sensitive data — enabling everywhere generates millions of events per day.
  2. 2.Use for post-incident forensics to reconstruct exactly which files an attacker accessed.

Seeing Event ID 5145 in your own logs? Upload an .evtx file — EventPeeker flags network share object access checked automatically, maps it to MITRE ATT&CK, and writes the triage report. No account, files auto-deleted.

Analyze my logs →

Related Event IDs

5140Share-level access event

Go deeper: the full Lateral Movement — Spreading Across the Network guide

Builds on this page with the attack chain, step-by-step investigation, immediate containment actions, KQL/Sigma detection queries, and an annotated example log.

Read the Lateral Movement — Spreading Across the Network guide

See Event ID 5145 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects network share object access checked patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →