Hello, C#
How can i get the last process that has written on a file?
for example example.exe writes 'A' in a file, another process called Getter.exe(monitors the file) get example.exe
Is there an API?
Thanks in advance
C#
Hello, C#
How can i get the last process that has written on a file?
for example example.exe writes 'A' in a file, another process called Getter.exe(monitors the file) get example.exe
Is there an API?
Thanks in advance
C#
I would think that the easiest solution would be to enable file auditing and then analyze the security event log. You could use the task scheduler and trigger on an event being written.
https://www.varonis.com/blog/windows-file-system-auditing/
I followed the link that cooldadtx provided and I could not find anywhere that process name was made available. Writing your own driver as Castorix31 offered will be challenging. Can you just use Process Monitor and filter on a file or folder name?
Perhaps if you could take a step back and explain the overall problem that you are trying to solve, maybe some forum user might have alternative idea. IE: what is the real problem that you are trying to solve?
There is no API that tracks what process wrote to a file. The only thing the file system stores is the last write time in this regard.
The assumption here is that you want this after the fact. While your app is running you can get notifications from the system when a file is written but it doesn't provide any details about who. To do that you'll need to look into the FileSystemWatcher.
If these processes are made by you, I think that it is possible to design a custom file format for your specific purposes.
One of the only ways is to use a File System Driver and intercep IRP_MJ_WRITE
(a tool like Process Monitor does that)
Thanks guys, is it possible to use the event register instead of a driver?
Thanks in advance
Perhaps you could tell us the exact problem you're trying to solve so we can direct you better. Getting the process that wrote a file doesn't seem useful by itself and this information isn't persisted either way. You'd have to capture it at the moment it happened. Perhaps the problem you're trying solve has a better solution.
10 people are following this question.