Realtime monitor of process (file) handles?

Windows specific forum
User avatar
bbanelli
Enthusiast
Enthusiast
Posts: 543
Joined: Tue May 28, 2013 10:51 pm
Location: Europe
Contact:

Realtime monitor of process (file) handles?

Post by bbanelli »

Greetings to all,

is there a "simple" way for monitoring which files are open by a Windows process? Say, I hook to Notepad and get list of files opened/saved/created?

TIA!

Bruno
"If you lie to the compiler, it will get its revenge."
Henry Spencer
https://www.pci-z.com/
User avatar
djes
Addict
Addict
Posts: 1806
Joined: Sat Feb 19, 2005 2:46 pm
Location: Pas-de-Calais, France

Re: Realtime monitor of process (file) handles?

Post by djes »

User avatar
bbanelli
Enthusiast
Enthusiast
Posts: 543
Joined: Tue May 28, 2013 10:51 pm
Location: Europe
Contact:

Re: Realtime monitor of process (file) handles?

Post by bbanelli »

djes wrote:Process monitor ?
That'd be great, if I had a source code. :)

I was, naturally, thinking of PB based solution through WinAPI.
"If you lie to the compiler, it will get its revenge."
Henry Spencer
https://www.pci-z.com/
User avatar
djes
Addict
Addict
Posts: 1806
Joined: Sat Feb 19, 2005 2:46 pm
Location: Pas-de-Calais, France

Re: Realtime monitor of process (file) handles?

Post by djes »

Yet Another (remote) Process Monitor is available with source code.
User avatar
Zebuddi123
Enthusiast
Enthusiast
Posts: 794
Joined: Wed Feb 01, 2012 3:30 pm
Location: Nottinghamshire UK
Contact:

Re: Realtime monitor of process (file) handles?

Post by Zebuddi123 »

Hi bbanelli Code wise there`s also ProcessHacker in C#. runnning in dbg32 (VS 2017 r68) now. Maybe some Info there very similar to Process Monitor and Comodo`s tool.

Zebuddi.https://sourceforge.net/p/processhacker/code/HEAD/tree/
malleo, caput, bang. Ego, comprehendunt in tempore
User avatar
tj1010
Enthusiast
Enthusiast
Posts: 621
Joined: Mon Feb 25, 2013 5:51 pm
Location: US or Estonia
Contact:

Re: Realtime monitor of process (file) handles?

Post by tj1010 »

If I remember correctly you need a filter driver for this and can't pull it off with a userland hook. I once tried to do a tool that lists the PID and name of everything that accessed a selected folder and ended up doing a driver. This was on 7 too so probably still the same deal.

I beleive it was because all the API abstraction levels on top of the ACL.
The truth hurts.
Post Reply