how to find out what created a file?
Solution 1
Have a look at the "Owner" tab under the "Advanced" properties of the "Security" properties page of the file's properties sheet. Odds are good, though, that you're going to see "Administrators" as the owner (which won't be too helpful).
The auditing functionality in Windows can help with this kind of thing, but it generates such large volumes of seemingly useless data that it's, practically speaking, not worth it.
Solution 2
Let's assume for a second that what ever is creating these files isn't malicious:
- You can look at the owner to see what user created the files
- Then use something like Sysinternals Process Explorer to view the processes that are running under that user (Right Click the columns and check "User Name" on the "Process Image" tab
- Then look at the handles that each of these processes has (Goto View Menu, Check "Show Low Pane, Change "Lower Pane View" to "Handles"), one of them may have a handle open to the weird files you're seeing
However, if whatever is creating these files is malicious it will take steps to thwart you. (File hiding, process hiding, obfuscation, etc.)
You can use some of the utilities here to check for rootkits: A list of Windows rootkit detection and removal tools
But if it the server has been owned, you know it's been owned, and you don't know how they got in: It's time to start rebuilding it and activating any incident response plan you may have.
Solution 3
You could also utilize FileMon for Windows, to log the Time and Process the file write was committed. Once you do that, track down the process using nestat -ao and look for the PID of the process that wrote the file. From here find the IP Address that is making the connection to your server and continue the investigation or DENY the connection if you are using Windows Built-in Firewall.
Link to FileMon for Windows: http://technet.microsoft.com/en-us/sysinternals/bb896642.aspx
Solution 4
PA File Sight could help you there. You can set up a monitor to watch file creates in C:\ The app can log the creation time, the process used (assuming it's a local process) and the account used. It can log that data to a log file, database, and/or alert you in real time.
It's a commercial product, but has a fully-functional 30 day trial that would work for you.
Full disclosure: I work for the company that created PA File Sight.
h3x
System Administrator in BETA News Agency, based in Belgrade, Serbia!
Updated on September 17, 2022Comments
-
h3x over 1 year
I have some virus files being randomly created on root of a c: disk of one of my servers. How can I find out what created it? Some 3rd party software maybe?
-
h3x almost 15 yearsowner is Guest! :) i don't know how that guest thing had missed my attention! Now i know some other computer from the network is "bombing" my server. Thanks!
-
Spence almost 15 yearsBetter the that Guest account locked down and verify that they haven't done nasty things to your machine. If they're creating files in the root directory you may have a serious mess on your hands.
-
h3x almost 15 yearsYeah, your answer is kinda next logical step after what Evan Anderson suggested, and it's the solution for this case!
-
h3x almost 15 yearsHMMM, very interesting software! I'll give it a try :)
-
h3x almost 15 yearsthey pushed conficker virus into my server, but it couldn't spread anywhere else. i found all the remainings of conficker and removed it all. thanks
-
charles over 9 yearsFileMon is replaced with this one technet.microsoft.com/en-us/sysinternals/bb896645