Hook a process and get files it`s created\deleted\renamed

Question

0.00/5 (No votes)

See more:

I have created a c# program which gets new loaded process

C#

startWatch.EventArrived += new ventArrivedEventHandler(startWatch_EventArrived);

and doing stuff when eventHandler fire.

afterwards im using:

C#

foreach (var runningProcess in Process.GetProcessesByName(ShortProcessName))

to get runningProcess.MainModule data for the current process and after that

C#

foreach (System.Diagnostics.ProcessModule module in MYPROCESS.Modules)

to get list of child process and modules.

My next wish is to get an output of files which created \ deleted \ renamed \ changed \ whatever by the process i catched.

What I have tried:

I have tried digging the 'Process' constructure and modules but didn't find anything for that. also tried using filewatcher, but also here cannot get you the parent process responsible for file changes. i guess this cannot be done using high level language such as c# but lower.

Unfortunatly im not familiar with lowers. in the end i want a service \ watcher to hook a process real-time and create an output (file) of which file he has been messing with.

Posted 9-Oct-16 6:49am

Aner Izraeli

Updated 9-Oct-16 9:50am

Wendelius

v2

Add a Solution

Comments

Suvendu Shekhar Giri 9-Oct-16 12:57pm

Looking at another very simple approach,
if you already the location (folder path) where the new files are being created then you can get all the information regarding file created/changed/deleted.

Or am I missing something obvious here?

Aner Izraeli 9-Oct-16 15:02pm

think of a malware approach,
you cant know in which folder the malware will create\delete\rename files.
if i would know the folder path, than i can easly use filewatcher. :)

Kornfeld Eliyahu Peter 9-Oct-16 13:05pm

Do you talking about a kind of history of file access?

Aner Izraeli 9-Oct-16 15:02pm

no,
im talking about which file created\deleted\renamed right now, by a process.

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Wendelius · Answer 1 · 2016-10-09T08:17:00

Solution 1

If I understand the question correctly you could utilize the idea from Listing Used Files[^]

Another option could be to use an utility like handle.exe. See https://technet.microsoft.com/en-us/sysinternals/handle.aspx[^]

Posted 9-Oct-16 8:17am

Wendelius

Comments

Aner Izraeli 9-Oct-16 15:47pm

Thanks! check those two suggestions.
it`s a solution for current handeled files\modules.
im looking for previous handeled file by a process.
for example:
1. a process helloworld.exe loaded.
2. the process creating a file - "testfile.bat"

I want to know that testfile.bat was created by helloworld.exe.

hope im more clear.
Thanks :)

Wendelius 9-Oct-16 23:27pm

As far as I know, the information, which program created or modified a file, isn't available in Windows after the process has closed the file. The only way is to make observations when the file is open by a process.

Kornfeld Eliyahu Peter · Answer 2 · 2016-10-09T09:50:00

I do not think you can tell why a process opened a file, but can tell the files the process currently holds open...
First of all you have to dig into old WIN32 API
NtQuerySystemInformation[^]
This function is not much documented and the help page will not contain the SystemHandleInformation enumerated value (16) for the first parameter, but still will have to use it...
You will have to call it twice, once the last parameter as return value of the needed buffers size, and a second time with NULL at the last parameter to actually retrieve the values...
The result of this function is a list of all handles (of all types) for all processes...You have to enumerate them and check the type and the process owns the handle...
Using NtQueryObject[^] in a loop (using ObjectNameInformation as second parameter), will provide you with the device based name of the file the handle holds...
To find the user friendly name you have to use QueryDosDevice[^] function - it will map device to letter...
Two things:
1. You have to duplicate the handle into your process before using it. Do it using OpenProcess[^] with PROCESS_DUP_HANDLE, and DuplicateHandle[^] after that.
2. NtQueryObject will hang if the handle points to named pipe (bug), so you should first try to run it in a new thread to check it, and only if the thread does not hand go on and use it in the main thread...
---
And...
There are some ready-made solutions out there, with source code:
HOWTO: Enumerate handles - Sysinternals Forums[^]
Examine Information on Windows NT System Level Primitives[^]