0

Under Windows 7, how can I monitor all filesystem activity made by a specific process?

Goal is to identify, which and when config files of a server process get loaded.

voretaq7
  • 79,879
  • 17
  • 130
  • 214
SteAp
  • 153
  • 7
  • 1
    http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx – joeqwerty Oct 25 '13 at 21:11
  • 1
    @joeqwerty, did you mean Process Monitor http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx Process Explorer, which you linked to, is the detailed task manager. – Zoredache Oct 25 '13 at 23:07
  • Oh, I thought Process Explorer showed file handles for running processes? – joeqwerty Oct 25 '13 at 23:10
  • 2
    Process explorer is more point-in-time - process monitor will do a much better job and will be able to show a log, with timestamps, of what files were access by a process. – mfinni Oct 26 '13 at 19:34

2 Answers2

4

Sysinternals' Process Explorer can give you information on the current state of processes, but what you want is Process Monitor (Procmon). Start it up and then launch your process. Once the process exits, or the event you are waiting for has occurred, stop the capture. Procmon is very verbose; you will have captured hundreds of thousands, if not millions, of events, so you will need to filter on things like process name, PID, path, etc. If the process touched a file or registry key or communicated on the network, you will see it here.

charleswj81
  • 2,453
  • 15
  • 18
1

Have a look at Process Monitor by SysInternals and now Microsoft. It shows you all system events including registry, network, IO and other operations in real time. You can limit your results based on number of filters, e.g. Process Name. Very handy when watching an application.

Remik
  • 11
  • 5