How do i determine which files are created or manipulated by a specific process programatically in c# windows OS

Question

Im coding an utility, which has to keep track of an installation.

What directories and files does this installation create on my computer.

The language is c# .net, the OS is windows.

So far iv'e used FileWatcher, which is a step on the way, but there is a LOT of OS noise that you have to clean up, and it makes the end result, a textfile with the filesystem alterations, and prone to error, which makes it unusable.

I've even filtered it so that only the events of the user (BUILTIN\Administrators) which runs the installation is being tracked, but still there is a lot of noise.

.
.
.

owner = (new FileInfo(e.FullPath).GetAccessControl().GetOwner(typeof(SecurityIdentifier)).Translate(typeof(NTAccount)) as NTAccount).Value;

if (owner.Contains("BUILTIN\\" + "Administratorer"))
   {
      eventList.Add(">" + e.FullPath + "<" + e.ChangeType + ":" + owner);
   }
.
.
.

Ive also tried to use the output of "handle64.exe -p processname.exe" from microsoft, but it only takes a snapshot, and is not able to keep running during an installation.

Does anybody have any idea about how to go about it in c# or if it is even possible.

Thankyou very much for your time and effort

I think it can be done but C# is probably the wrong tool for the job. See how [Procmon](https://learn.microsoft.com/en-us/sysinternals/downloads/procmon) monitors file system and registry events and knows exactly which process is involved. But I think it does so by putting in lots of low level hooks that C# wouldn't be a good language to try to implement such in. — Damien_The_Unbeliever, Feb 05 '21 at 08:24
Thankyou, ill check it out, perhaps i can invoke it from c# and create an output i can process in code. — Kim Sandberg, Feb 05 '21 at 09:26

IBeThieving · Answer 1 · 2021-02-05T10:24:28.163

-1

You will want to use windows api functions to determine what processes have handles to the files your looking for specifically NtQuerySystemInformation api function to query for all handles this can be achieved with P/Invoke.

edited Feb 05 '21 at 10:24

answered Feb 05 '21 at 10:14

IBeThieving

34
3

Thank you, i'll look into that. – Kim Sandberg Feb 05 '21 at 10:16
You use P/INVOKE to use NtQuerySystemInformation api function to query for all handles. – IBeThieving Feb 05 '21 at 10:22
I could not figure out how to do it. Im quite new to c#, and only had 1 course in it, so im a complete beginner. But thank you for your help – Kim Sandberg Feb 09 '21 at 08:29

How do i determine which files are created or manipulated by a specific process programatically in c# windows OS

1 Answers1