Get application/program which created a file in PowerShell

Question

I have several programs (.exe) installed on my computer which create ".dat" files. One of them creates very large files.

I want to delete only the files created by this program.

Is there a way in PS to know which program has created a file?

I try to filter them in following code:

Get-ChildItem $path -Filter "*.dat" -Recurse -Force |'
Where-Object {$_.CreationTime -lt $limit -and $_.LastAccessTime -lt $limit2 -and $_.Attributes -notmatch "Offline" } |'
Remove-Item -Force

Answer 1

I would suggest using ProcessMonitor ( http://technet.microsoft.com/en-gb/sysinternals/bb896645). This will show all file system activity and will quickly show you which processes are accessing which files.

Answer 2

One option is to execute the ".exe programms" under different credentials, one different user per exe. Then you can use get-acl to identify who created each file:

$OWNER = "xxxx"
Get-ChildItem $path -Filter "*.dat" -Recurse -Force |'
Where-Object {Get-Acl $_.FullName -eq $OWNER -and $_.CreationTime -lt $limit -and $_.LastAccessTime -lt $limit2 -and $_.Attributes -notmatch "Offline" } |'
Remove-Item -Force

Answer 3

This is not possible unless your program somehow stamps a property onto .dat file which you would then read.

Use Process Explorer if you want to find out which executable creates the file in question.