Reputation: 373
How is it possible to understand which process deletes a file on the hard drive
I have the following problem. I develop an application that keeps the settings in preference files. At some point in time, one of these files is being deleted. This file can not be deleted from my application.
How is it possible to understand which process deletes a file on the hard drive under Windows?
EDIT: The problem appears rarely. I'm looking for a program that can run as a service or something else so I can do a patch for the application which to monitor in runtime if someone deletes the file and writes which process it has done.
Upvotes: 11
Views: 6930
Answers (4)
Reputation: 571
You could develop a service and use FileSystemWatcher and monitor the Deleted Event. FileSystemWatcher.Deleted Event
Upvotes: 0
Reputation: 629
May be using Process Monitor, with this parameters «operation: SetDispositionInformationFile, Result: SUCCESS, detail:"Delete:True"» on your path.
More detail abut this :here and here
Upvotes: 6
Reputation: 1938
Sysinternals from Microsoft should be able to help you.
https://learn.microsoft.com/en-us/sysinternals/downloads/
Look under File and Disk Utilities. There are utilities that can show you which process accesses/modifies a given file.
Upvotes: 0
Reputation: 139157
If you're ok with a C# solution, you can use the Microsoft.Diagnostics.Tracing.TraceEvent nuget packagage. It's a wrapper over ETW (Event Tracing for Windows) events.
What happens is the Windows kernel traces everything, and you can get those traces in real time. But it's sometimes difficult to correlate them.
In your case, you're looking after file delete events, but unfortunately, these events have no process information attached to it, so I've used another event. Here is some sample code:
using System;
using Microsoft.Diagnostics.Tracing.Parsers;
using Microsoft.Diagnostics.Tracing.Session;
namespace TraceDeletes
{
class Program
{
static void Main(string[] args)
{
if (TraceEventSession.IsElevated() != true)
{
Console.WriteLine("To turn on ETW events you need to be Administrator, please run from an Admin process.");
return;
}
// we're watching that particular file
string filePath = @"C:\temp\New Text Document.txt";
ulong fileKey = 0;
string processName = null;
using (var session = new TraceEventSession("whatever"))
{
// handle console CTRL+C gracefully
Console.CancelKeyPress += (sender, e) => session.Stop();
// we filter on events we need
session.EnableKernelProvider(
KernelTraceEventParser.Keywords.DiskFileIO |
KernelTraceEventParser.Keywords.FileIOInit);
// this event has no process information
session.Source.Kernel.FileIOFileDelete += data =>
{
if (data.FileKey == fileKey)
{
Console.WriteLine(data.FileName + " was deleted by " + processName);
fileKey = 0;
processName = null;
}
};
// this event has process information (id, name)
// it happens before delete, of course
// we remember the FileKey
session.Source.Kernel.FileIOQueryInfo += data =>
{
if (string.Compare(data.FileName, filePath, StringComparison.OrdinalIgnoreCase) == 0)
{
fileKey = data.FileKey;
processName = data.ProcessName;
}
};
// runs forever, press CTRL+C to stop
session.Source.Process();
}
}
}
}
If you create that "C:\temp\New Text Document.txt" file and delete it using Windows Explorer, you should see this:
C:\temp\New Text Document.txt was deleted by explorer
Note: ETW is of course usable using other languages, but it's much easier with this .NET library.
Upvotes: 2
Related Questions
- Find process that created a file on windows
- Delete a file being used by another process
- Detecting a File Delete on an Open File
- How to delete file and that file is used by another process using C#
- Deleting a file forcefully even though it is being used by the other process
- File is being used by another process while deleting the file
- How find a process which removed/moved a given file in Windows
- Find which process is using a file
- Which process is accessing the file that caused an IOException when I tried to delete it?
- How to delete a file used by other process