0

I'm looking for a way to determine all the files a process has opened on Windows. This is different from many (already answered) questions on here because I need to know all files the process has opened, not just the ones it has open when I look for them. That way, I avoid missing files that have been completely loaded into memory and then closed. Here are some things I've tried that haven't worked:

  • ProcExp and Handle by SysInternals (both only list currently open files)
  • ProcMon by SysInternals (with filters of the process name and the ReadFile and WriteFile operation). This one surprised me. Why wouldn't it work?

My test case is opening a text file off of a flash drive with Notepad, so I wouldn't expect ProcExp or Handle to work (since Notepad reads everything into memory, then closes the file). ProcMon seems like it should work, though. In fact, when I edit the text file and save it, I can see the WriteFile operation and the path to my text file. The only ReadFile operations I can see when I open the file, though, are of C:\Windows\Fonts\StaticCache.dat. Maybe it's just that my filter config is wrong? Or would another tool work better for me?

Improve this question
8
  • Your are using the correct tools. "not just the ones it has open when I look for them. " say what?
    – Ramhound
    Commented Aug 31, 2015 at 17:58
  • AT Ramhound, he said "all files the process has opened, not just the ones it has open when I look for them" Try quoting more of his sentence. and he said "Notepad reads everything into memory, then closes the file" <-- And he is correct. So he's suggesting that if notepad were to keep the handle open then he'd know.
    – barlop
    Commented Aug 31, 2015 at 18:32
  • What if in process monitor, you filter for process of notepad.exe and path that starts with C:\
    – barlop
    Commented Aug 31, 2015 at 18:35
  • These are all the things related to a file that notepad reads.. i'm not sure which involves reading though i.imgur.com/wczx43T.png But what if you just run process monitor and filter on a process name.. You will get every file the process works with
    – barlop
    Commented Aug 31, 2015 at 18:45
  • @barlop Sorry for my delayed response. Taking off all Operation filters just produces a lot of data for a lazy person to go through :) I think what I really need to do is read up on exactly what each operation means, but documentation on this seems to be lacking... It seems that a QueryDirectory filter should work for most purposes.
    – KnightOfNi
    Commented Aug 31, 2015 at 19:10

1 Answer 1

Reset to default
2

So, I did figure out how to do it. Unfortunately, there don't seem to be very many readily available resources on how to use ProcMon, and my filters were actually working against me. Here's a blow-by-blow:

  1. Add a filter to include the process you want to examine
  2. On the right side of the upper bar (which is just below File, Edit, Event, etc.), there are five icons, four of which should be highlighted by default. Deselect all of them except for "Show Filesystem Activity" (a computer with a magnifying glass over it). Now you should see only files being accessed by your program, and not the usual slew of registry keys.
  3. To filter out the junk DLLs and config files it typically accesses, figure out which folder most of them are in (oftentimes C:\Windows) and add a filter like this one: 'Path' 'Contains' [your folder] 'Exclude'
  4. As an alternative to step 3, add a filter like this to just exclude dlls: 'Path' 'Contains' '.dll' 'Exclude'

You should now see almost exclusively files and folders the program is opening that aren't dependencies.

Improve this answer
2
  • I guess you still get lots of repeats like in the screenshot in my comment, a file blah.txt could be repeated loads of times. I can't see a way to get it to only show once, unless perhaps exporting to excel and running something there.
    – barlop
    Commented Aug 31, 2015 at 22:21
  • Yeah, I'm not sure how to make that go away. Still, it's better than all of the excess junk I was getting.
    – KnightOfNi
    Commented Aug 31, 2015 at 22:36

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .