Re: how can I identify which processes access a file?

Hi,

there are several ways to do this but every one is
difficulty and far beyond C# and .NET. C# and
..NET just play the role of eiterh a user interface,
wrapper library or the communication endpoint.
You can use API hooking and monitor for e.g.
CreateFile API Calls and then check which
Process uses that call. But htis is a very difficult
task and not recommended since you can
instabilize your complete OS if your code is
buggy. Another way is to use the FileSystemWatcher
which in core encapsulates the Windows File and
Directory Notification APIs and on a specific file
event you could check who has a handle to that
file by enumerating all system handles and objects
by using NtQuerySystemInformation and some other
undocumented API calls. Some documented can be quite
handy on object security, handle owner etc, but all
calls are undocumented and not easy to use. Another
approcah is to develop a kernel file system driver
with the IFS Kit DDK from Microsoft or Hook
Kernel API calls and/or watch for special events and
or API Function calls. The only way C# can aid you
here is to use a UI that could process IO comming or
going to your kernel driver either by DeviceIoControl
and/or CreateFile/Read-WriteFile/CloseHandle. All
these tasks are difficult and far beyond C# and .NET...

If you really are interrested in a way to do this, then
have a look at this:

[File System Filter Drivers]
http://www.microsoft.com/whdc/driver/filterdrv/default.mspx

But think about it. Do you really have to do this
or is there another way since Kernel Development
is very advanced stuff,...

Regards

Kerem

--
----------------------- Beste Grüsse / Best regards / Votre bien devoue
Kerem Gümrükcü
Latest Project: http://www.codeplex.com/restarts
Latest Open-Source Projects: http://entwicklung.junetz.de
----------------------- "This reply is provided as is, without warranty express or implied."
"DWatsonCrypKey" <DWatsonCrypKey@xxxxxxxxxxxxxxxxxxxxxxxxx> schrieb im Newsbeitrag news:FBA8A308-9B13-4014-AE54-14C2917D0341@xxxxxxxxxxxxxxxx
I need to be able to monitor a file and identify which processes have
accessed them. Kind of like Windows Filemon does. The FileSystemWatcher
doesn't seem to provide this information, and I can't get this information
from System.GetProcesses. Can anyone tell me how to do this?

Thanks

.

Relevant Pages

  • Re: [PATCHSET] block: fix PIO cache coherency bug
    ... Only driver knows how and when. ... kernel page is the responsbility of the driver, ... manage cache coherency use flush_dcache_page. ... kmap API should have a flag or something to tell it how the page ...
    (Linux-Kernel)
  • Re: [RFC/PATCH 1/2] in-kernel sockets API
    ... people who want to turn the kernel into applications. ... how netfilter is exposed as GPL. ... API. ... If the driver is an old-tech Linux port, then it seems there isn't too ...
    (Linux-Kernel)
  • Re: [PATCHSET] block: fix PIO cache coherency bug
    ... Only driver knows how and when. ... The objection raised by James Bottomley is that although syncing the ... kernel page is the responsbility of the driver, ... kmap API should have a flag or something to tell it how the page ...
    (Linux-Kernel)
  • Re: [PATCHSET] block: fix PIO cache coherency bug
    ... Only driver knows how and when. ... kernel page is the responsbility of the driver, ... kmap API should have a flag or something to tell it how the page ... Which would be tasked with bringing cache coherency back to the kernel's ...
    (Linux-Kernel)
  • Re: 2.6.10-mm1, class_simple_* and GPL addition
    ... > submit the class_simple code today, after the driver core had the GPL ... > marking on some kernel functions a very large company totally switched ... And it was API which was accessible by non-GPL modules before? ...
    (Linux-Kernel)
Quantcast