how to find out what created a file?

93,573

Solution 1

Have a look at the "Owner" tab under the "Advanced" properties of the "Security" properties page of the file's properties sheet. Odds are good, though, that you're going to see "Administrators" as the owner (which won't be too helpful).

The auditing functionality in Windows can help with this kind of thing, but it generates such large volumes of seemingly useless data that it's, practically speaking, not worth it.

Solution 2

Let's assume for a second that what ever is creating these files isn't malicious:

  • You can look at the owner to see what user created the files
  • Then use something like Sysinternals Process Explorer to view the processes that are running under that user (Right Click the columns and check "User Name" on the "Process Image" tab
  • Then look at the handles that each of these processes has (Goto View Menu, Check "Show Low Pane, Change "Lower Pane View" to "Handles"), one of them may have a handle open to the weird files you're seeing

However, if whatever is creating these files is malicious it will take steps to thwart you. (File hiding, process hiding, obfuscation, etc.)

You can use some of the utilities here to check for rootkits: A list of Windows rootkit detection and removal tools

But if it the server has been owned, you know it's been owned, and you don't know how they got in: It's time to start rebuilding it and activating any incident response plan you may have.

Solution 3

You could also utilize FileMon for Windows, to log the Time and Process the file write was committed. Once you do that, track down the process using nestat -ao and look for the PID of the process that wrote the file. From here find the IP Address that is making the connection to your server and continue the investigation or DENY the connection if you are using Windows Built-in Firewall.

Link to FileMon for Windows: http://technet.microsoft.com/en-us/sysinternals/bb896642.aspx

Solution 4

PA File Sight could help you there. You can set up a monitor to watch file creates in C:\ The app can log the creation time, the process used (assuming it's a local process) and the account used. It can log that data to a log file, database, and/or alert you in real time.

It's a commercial product, but has a fully-functional 30 day trial that would work for you.

Full disclosure: I work for the company that created PA File Sight.

Share:
93,573
h3x
Author by

h3x

System Administrator in BETA News Agency, based in Belgrade, Serbia!

Updated on September 17, 2022

Comments

  • h3x
    h3x over 1 year

    I have some virus files being randomly created on root of a c: disk of one of my servers. How can I find out what created it? Some 3rd party software maybe?

  • h3x
    h3x almost 15 years
    owner is Guest! :) i don't know how that guest thing had missed my attention! Now i know some other computer from the network is "bombing" my server. Thanks!
  • Spence
    Spence almost 15 years
    Better the that Guest account locked down and verify that they haven't done nasty things to your machine. If they're creating files in the root directory you may have a serious mess on your hands.
  • h3x
    h3x almost 15 years
    Yeah, your answer is kinda next logical step after what Evan Anderson suggested, and it's the solution for this case!
  • h3x
    h3x almost 15 years
    HMMM, very interesting software! I'll give it a try :)
  • h3x
    h3x almost 15 years
    they pushed conficker virus into my server, but it couldn't spread anywhere else. i found all the remainings of conficker and removed it all. thanks
  • charles
    charles over 9 years
    FileMon is replaced with this one technet.microsoft.com/en-us/sysinternals/bb896645