Detect what process is changing a file on Windows
Both procexp and procmon are good for this. If the process holds a handle to the file in question then just run procexp and choose "Find Handle or DLL" from the Find menu then type in part of the file name you're searching for.
Alternatively (and as mentioned in the comments to the question), to use procmon to find, for example, a file called readme.txt open the filter dialog and set the filter as so:
Then press the Add button. Make sure there are no other processes that are excluded that might be touching your file.
Then start capturing events and sit back and wait.
Related videos on Youtube
03 : 45
25 : 17
07 : 16
08 : 36
01 : 35
Comments
-
dantheta almost 2 years
Is there a way to detect what process is changing a file on Windows 7?
I know procmon is a great tool but couldn't figure it out how to do it or even if it's possible.
The problem is that I have a file that is changed by some application and I want to find out which one.
-
Dave over 11 yearsWhy can't you use the filter in ProcMon (just type in the name of the file)?
-
-
Omnifarious over 11 yearsHow can you tell that an event in procmon is a file modification event? I can see place where the file is opened and closed, but I can't see events that are clearly modifications to the file.
-
shunty over 11 yearsIn the README.txt case there appears to be a WriteFile operation. I don't think it's always that easy though as it will depend on how the application deals with writing - ie does it cache stuff or save writes until later etc etc. There's also a QueryBasicInformationFile operation which has LastAccess and LastWrite times.
-
Omnifarious over 11 years@shunty: Ahh, there was so much file reading going on that the WriteFile operations were hidden in the noise. I captured the whole install process from beginning to end. So it doesn't matter if there was any caching or buffering, if a file was written to the event should be in there.
-
Sean Feldman about 3 yearsThank you, @shunty
