Finding Process That is Creating a File on Disk (After The Fact)












1















In a Windows environment, how can I find a process that created a file, after the file was created. Or, how can I implement a solution that will track which process created a file, so that when the file is created that we can then make the determination of how it was created.



Finding the process that is creating a file while the file is being created is easy using something like ProcessMonitor (from SysInternals/Microsoft). However, we're looking at an environment where each PC has a file named "C:temptemp.txt" that just contains a zero on it. After deleting the file, it will, at some point, have the file recreated. Correlating the file creation time to events in Event Viewer has not yielded any results, and since the creation of the file isn't predictable I can't use something like ProcessMonitor to track it.



Optimally, since these machines are remote (managed under an RMM), I'd like something I can implement purely by command line.






windows-7 windows-10







share|improve this question


















  • 1





    Only way I can see is using process monitor to create a log over time, it will a be huge log but you should be able to search for the file name in the log and find the process.

    – Moab
    Feb 15 at 16:14






  • 1





    You can filter the log for only that file. It will appear blank until activity hits that file.

    – HackSlash
    Feb 15 at 22:07











  • Thanks guys. I was hoping to not have to do that, but it seems it is my only option. I have it running and assuming the buffer doesn't crash the PC in the interim, I'll get an answer.

    – Beems
    Feb 18 at 21:39
















1















In a Windows environment, how can I find a process that created a file, after the file was created. Or, how can I implement a solution that will track which process created a file, so that when the file is created that we can then make the determination of how it was created.



Finding the process that is creating a file while the file is being created is easy using something like ProcessMonitor (from SysInternals/Microsoft). However, we're looking at an environment where each PC has a file named "C:temptemp.txt" that just contains a zero on it. After deleting the file, it will, at some point, have the file recreated. Correlating the file creation time to events in Event Viewer has not yielded any results, and since the creation of the file isn't predictable I can't use something like ProcessMonitor to track it.



Optimally, since these machines are remote (managed under an RMM), I'd like something I can implement purely by command line.






windows-7 windows-10







share|improve this question


















  • 1





    Only way I can see is using process monitor to create a log over time, it will a be huge log but you should be able to search for the file name in the log and find the process.

    – Moab
    Feb 15 at 16:14






  • 1





    You can filter the log for only that file. It will appear blank until activity hits that file.

    – HackSlash
    Feb 15 at 22:07











  • Thanks guys. I was hoping to not have to do that, but it seems it is my only option. I have it running and assuming the buffer doesn't crash the PC in the interim, I'll get an answer.

    – Beems
    Feb 18 at 21:39














1












1








1








In a Windows environment, how can I find a process that created a file, after the file was created. Or, how can I implement a solution that will track which process created a file, so that when the file is created that we can then make the determination of how it was created.



Finding the process that is creating a file while the file is being created is easy using something like ProcessMonitor (from SysInternals/Microsoft). However, we're looking at an environment where each PC has a file named "C:temptemp.txt" that just contains a zero on it. After deleting the file, it will, at some point, have the file recreated. Correlating the file creation time to events in Event Viewer has not yielded any results, and since the creation of the file isn't predictable I can't use something like ProcessMonitor to track it.



Optimally, since these machines are remote (managed under an RMM), I'd like something I can implement purely by command line.






windows-7 windows-10







share|improve this question














In a Windows environment, how can I find a process that created a file, after the file was created. Or, how can I implement a solution that will track which process created a file, so that when the file is created that we can then make the determination of how it was created.



Finding the process that is creating a file while the file is being created is easy using something like ProcessMonitor (from SysInternals/Microsoft). However, we're looking at an environment where each PC has a file named "C:temptemp.txt" that just contains a zero on it. After deleting the file, it will, at some point, have the file recreated. Correlating the file creation time to events in Event Viewer has not yielded any results, and since the creation of the file isn't predictable I can't use something like ProcessMonitor to track it.



Optimally, since these machines are remote (managed under an RMM), I'd like something I can implement purely by command line.






windows-7 windows-10




windows-7 windows-10






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Feb 15 at 16:08









BeemsBeems

3973820




3973820








  • 1





    Only way I can see is using process monitor to create a log over time, it will a be huge log but you should be able to search for the file name in the log and find the process.

    – Moab
    Feb 15 at 16:14






  • 1





    You can filter the log for only that file. It will appear blank until activity hits that file.

    – HackSlash
    Feb 15 at 22:07











  • Thanks guys. I was hoping to not have to do that, but it seems it is my only option. I have it running and assuming the buffer doesn't crash the PC in the interim, I'll get an answer.

    – Beems
    Feb 18 at 21:39














  • 1





    Only way I can see is using process monitor to create a log over time, it will a be huge log but you should be able to search for the file name in the log and find the process.

    – Moab
    Feb 15 at 16:14






  • 1





    You can filter the log for only that file. It will appear blank until activity hits that file.

    – HackSlash
    Feb 15 at 22:07











  • Thanks guys. I was hoping to not have to do that, but it seems it is my only option. I have it running and assuming the buffer doesn't crash the PC in the interim, I'll get an answer.

    – Beems
    Feb 18 at 21:39








1




1





Only way I can see is using process monitor to create a log over time, it will a be huge log but you should be able to search for the file name in the log and find the process.

– Moab
Feb 15 at 16:14





Only way I can see is using process monitor to create a log over time, it will a be huge log but you should be able to search for the file name in the log and find the process.

– Moab
Feb 15 at 16:14




1




1





You can filter the log for only that file. It will appear blank until activity hits that file.

– HackSlash
Feb 15 at 22:07





You can filter the log for only that file. It will appear blank until activity hits that file.

– HackSlash
Feb 15 at 22:07













Thanks guys. I was hoping to not have to do that, but it seems it is my only option. I have it running and assuming the buffer doesn't crash the PC in the interim, I'll get an answer.

– Beems
Feb 18 at 21:39





Thanks guys. I was hoping to not have to do that, but it seems it is my only option. I have it running and assuming the buffer doesn't crash the PC in the interim, I'll get an answer.

– Beems
Feb 18 at 21:39










1 Answer
1






active

oldest

votes


















0














While it isn't a perfect solution, you could use FolderChangesView from Nirsoft to watch the Temp folder and trigger a process list or handle when the file is created.






share|improve this answer
























  • Unfortunately, that shows the owner and time created, but not my primary criteria: what process created it.

    – Beems
    Feb 18 at 21:39











  • @Beems So you tried it? a zero-length temp.txt file was created by the rogue app while you were testing and you used handle like handle c:temptemp.txt? Or are you assuming it isn't going to work because it's not showing locked in programs that don't lock it, like notepad or notepad++?

    – shawn
    Feb 19 at 0:06












Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1406156%2ffinding-process-that-is-creating-a-file-on-disk-after-the-fact%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














While it isn't a perfect solution, you could use FolderChangesView from Nirsoft to watch the Temp folder and trigger a process list or handle when the file is created.






share|improve this answer
























  • Unfortunately, that shows the owner and time created, but not my primary criteria: what process created it.

    – Beems
    Feb 18 at 21:39











  • @Beems So you tried it? a zero-length temp.txt file was created by the rogue app while you were testing and you used handle like handle c:temptemp.txt? Or are you assuming it isn't going to work because it's not showing locked in programs that don't lock it, like notepad or notepad++?

    – shawn
    Feb 19 at 0:06
















0














While it isn't a perfect solution, you could use FolderChangesView from Nirsoft to watch the Temp folder and trigger a process list or handle when the file is created.






share|improve this answer
























  • Unfortunately, that shows the owner and time created, but not my primary criteria: what process created it.

    – Beems
    Feb 18 at 21:39











  • @Beems So you tried it? a zero-length temp.txt file was created by the rogue app while you were testing and you used handle like handle c:temptemp.txt? Or are you assuming it isn't going to work because it's not showing locked in programs that don't lock it, like notepad or notepad++?

    – shawn
    Feb 19 at 0:06














0












0








0







While it isn't a perfect solution, you could use FolderChangesView from Nirsoft to watch the Temp folder and trigger a process list or handle when the file is created.






share|improve this answer













While it isn't a perfect solution, you could use FolderChangesView from Nirsoft to watch the Temp folder and trigger a process list or handle when the file is created.







share|improve this answer












share|improve this answer



share|improve this answer










answered Feb 15 at 18:25









shawnshawn

398110




398110













  • Unfortunately, that shows the owner and time created, but not my primary criteria: what process created it.

    – Beems
    Feb 18 at 21:39











  • @Beems So you tried it? a zero-length temp.txt file was created by the rogue app while you were testing and you used handle like handle c:temptemp.txt? Or are you assuming it isn't going to work because it's not showing locked in programs that don't lock it, like notepad or notepad++?

    – shawn
    Feb 19 at 0:06



















  • Unfortunately, that shows the owner and time created, but not my primary criteria: what process created it.

    – Beems
    Feb 18 at 21:39











  • @Beems So you tried it? a zero-length temp.txt file was created by the rogue app while you were testing and you used handle like handle c:temptemp.txt? Or are you assuming it isn't going to work because it's not showing locked in programs that don't lock it, like notepad or notepad++?

    – shawn
    Feb 19 at 0:06

















Unfortunately, that shows the owner and time created, but not my primary criteria: what process created it.

– Beems
Feb 18 at 21:39





Unfortunately, that shows the owner and time created, but not my primary criteria: what process created it.

– Beems
Feb 18 at 21:39













@Beems So you tried it? a zero-length temp.txt file was created by the rogue app while you were testing and you used handle like handle c:temptemp.txt? Or are you assuming it isn't going to work because it's not showing locked in programs that don't lock it, like notepad or notepad++?

– shawn
Feb 19 at 0:06





@Beems So you tried it? a zero-length temp.txt file was created by the rogue app while you were testing and you used handle like handle c:temptemp.txt? Or are you assuming it isn't going to work because it's not showing locked in programs that don't lock it, like notepad or notepad++?

– shawn
Feb 19 at 0:06


















draft saved

draft discarded




















































Thanks for contributing an answer to Super User!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1406156%2ffinding-process-that-is-creating-a-file-on-disk-after-the-fact%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

flock() on closed filehandle LOCK_FILE at /usr/bin/apt-mirror

Image
0 I recently upgraded an Ubuntu 16.04 virtual machine to 18.04. I regularly use this VM to run apt-mirror at school on their high-speed internet, then rsync these files to my rack-mount server at home for updating multiple computers at home without wasting the tiny amount of bandwidth I have there. Since updating I can't get apt-mirror to run on my VM. It keeps giving the error: flock() on closed filehandle LOCK_FILE at /usr/bin/apt-mirror line 214 immediately followed by: apt-mirror is already running, exiting at /usr/bin/apt-mirror line 217 apt-mirror is NOT running, and does not have a cron job. I've tried rebooting, and even looked for the old-style lockfile to delete, but I guess that method is no longer used. Is there some way to force unlock this so I can run apt-mirror? UPDATE: So... I f
Read more

Mangá

Image
  Nota:  Não confundir com Manga. Mangás e Animes Mangá Mangaká • Tankōbon Film comic La nouvelle manga Mangá original em inglês Anime História Animação influenciada por animes • Filler • OVA • Seiyū Públicos Kodomo • Shōjo • Shōnen Josei • Seinen Gêneros Mahō shōjo • Mecha • Harém Ecchi • Hentai ( Yaoi • Yuri Futanari • Shotacon • Lolicon Toddlercon ) Termos Bishōjo • Chibi • Fan service Gaiden • Kawaii • Kaitō • Light novel Mahō shōnen • Moe (antropomorfismo • Kemonomimi Nekomimi ) • Super deformed Omake • Tsundere • Yonkoma Listas Mangás • Animes • Ecchi • Mangaka • Estúdios • Revistas Fãs ( otaku ) Anime Music Video Convenções • Cosplay Dōjinshi • Fansub • Fandub • Fujoshi OS-tan • Scanlation Portal de Anime e mangá v d e O mangá (português brasileiro) ou manga (português europeu) [ 1 ] (em japonês: 漫画 , manga ? , lit. “história em quadrinhos”) , é a
Read more

 ⁒  ․,‪⁊‑⁙ ⁖, ⁇‒※‌, †,⁖‗‌⁝    ‾‸⁘,‖⁔⁣,⁂‾
”‑,‥–,‬ ,⁀‹⁋‴⁑ ‒ ,‴⁋”‼ ⁨,‷⁔„ ‰′,‐‚ ‥‡‎“‷⁃⁨⁅⁣,⁔
⁇‘⁔⁡⁏⁌⁡‿‶‏⁨ ⁣⁕⁖⁨⁩⁥‽⁀  ‴‬⁜‟ ⁃‣‧⁕‮ …‍⁨‴ ⁩,⁚⁖‫ ,‵ ⁀,‮⁝‣‣ ⁑  ⁂– ․, ‾‽ ‏⁁“⁗‸ ‾… ‹‡⁌⁎‸‘ ‡⁏⁌‪ ‵⁛ ‎⁨ ―⁦⁤⁄⁕

⁉…‧ ⁩,“⁡‹⁃‽⁞•,⁠‚  ⁓⁎  ⁜ ‴ ⁥⁡⁎‭,‍‑⁁⁌⁦ ⁁‟⁙‥‒“⁈ ,‪⁧ ⁙‿⁇⁦,⁝‘ ⁎“⁘‫‪,‗‹‛‹⁒  ⁇⁄‗‒•“⁇   ‐ ⁂
‘‛, ‶⁦ ⁇ ​⁞‧ 
,⁏ …‹–⁗⁡⁘⁄ ‏‿‬‟″ ‏⁢⁦⁗⁚⁝‬⁢⁏,⁧″⁍′‖⁂※⁄‘– ‵⁡ ‭⁢⁚,⁅‧,‼‛⁗,⁡⁗“⁔⁃⁍‷⁏‗‱⁌‚  
•⁝ ‚‒ ‥‰  ′⁌, ⁄, ⁛—‭‑”⁂,⁑ ‡⁨‴⁖⁙…,‑, ,⁎,․‣‥  ‴‎⁎,″‛⁎‭‿ ⁤ ‷‾‼‖,⁠⁊‾,⁦“‗‑‌†,⁙,†⁝′ 
,―‚․‘, ⁢  ‿‌,⁀„‣,⁌,‭‖ ⁆“‪,―  ⁀ ⁃,
‷⁥,​,‟‗⁄⁉⁐⁗―
,‮⁢⁩⁆⁣‹‭⁅ ⁝‾‏‭⁖ ⁕⁄‷,†‟‒ ⁣‹,​…​,⁤⁂⁨‮⁎⁙–‟‼ ⁍‱‱,‽,‫‽‣ ⁒,⁨ ⁄ ⁝”„‿‑‎⁈‿
 ⁀‛‼‟ ⁑“,⁩​ ‒
–⁡…⁢ ⁂ ⁈⁎,‵‡,⁛,,‱⁧⁋,․‬⁄ “,⁄‴⁊  ‗―,‵⁙⁔—⁀ —  ⁀‬‬ ‒⁋‼⁀― ,⁌′ ‍‶ ’
Read more