File Watcher - get the name of the process that created a file on Windows?

Question

File Watcher - get the name of the process that created a file on Windows?

Is there a good way to get the name of the process that created the file on Windows?

I have a directory on Windows 2000 Server
C: \ WINNT \ Temp which is filled with files like:
70618199
21834082

They are always 121.201 KB in size.

Can you programmatically capture the name of the program or the name of the service that deletes files at this location?

ADDITIONAL INFORMATION:
I have done some more research on this. I renamed the TIFF file and was able to open it.
This machine works as a document search tool through a custom ASP.NET written application. The machine contains about 50,000 TIFF documents on the E: \ drive. This machine also runs SQL Server 2000 with full-text indexing. Full-text indexing doesn't affect TIFF in any way - but it shouldn't, because it's SQL right? But FTS does require the Indexing Service to be enabled. The weird thing is that this TIFF appears to be the largest one served by the web server. Is IIS or Indexing Service C: \ WINNT \ Temp using for some kind of caching? Thoughts?

RESOLUTION (maybe?) Looks like Microsoft Indexing Service.
When I close it, none of these files are created in WINNT \ Temp.
It seems to grab the largest file found and copy it to WINNT \ Temp. This is strange. When you are dealing with a 100MB + TIFF file, it can run out of disk space. Very annoying.
I guess I'll just close the "Web" branch of my Indexing Services.

0

windows io .net process filesystemwatcher

BuddyJoe 09 jan. 09 at 16:33

source to share

7 replies

If you want something similar to a fuser for windows you can check out Process Explorer

It won't let you watch the file, but you can see if the currently running processes will access this temp directory and create similar named temp files.

+3

z - 09 jan. 09 at 16:38

source to share

I used FileMon.exe but only works in XP.

+1

Igor Zelaya 09 jan. '09 at 16:45

source to share

The only way I have found this from .NET is to launch the Sysinternal Command-Line Handle App and pass the file enter the name and read the console output to try to catch the original application with the file descriptor open.

Otherwise the utilities that others have talked about will work fine.

+1

ZeroBugBounce 09 jan. '09 at 19:35

source to share

You can always set this directory read-only and see what it does. Although, if it's a document server, you might not want to do this.

0

MSN 12 jan. At 11:09 pm

source to share

\ RECYCLER \ S-1-5-21-1482476501-1644491937-682003330-1013 \ service.exe

This is the Recycler virus. He created a hidden folder called "Recycler". On all disk partitions, I was unable to remove them from Windows Safe Mode. Norton, AVG Kaspersky could not detect or remove it.

I turn off System Restore by restarting my computer using the boot drive, going to the command prompt and deleting the "Recycler" folder from all drives. using command rmdir / sc: \ recycler

This is the only one that worked for me on Windows XP.

0

Kedar 03 Apr At 19:58

source to share

Just use the standard Win32 api (NAPI).

See Adv. Win32 api ng news: //comp.os.ms-windows.programmer.win32 for source code (C)

-1

kilo 09 jan. At 17:06

source to share

Rowland shaw · Accepted Answer · 2009-01-09T17:06:58+0000

There is always a Process monitor that replaces FileMon, which will tell you which process is accessing the files in question.

File Watcher - get the name of the process that created a file on Windows?

More articles: