如何知道创建文件的过程 [英] How to know the process which created a file

问题描述

我知道如何监视文件创建事件.
但是，如何获取创建文件的进程呢?

I know how to monitor for a file creation event.
But how can I get the process which created the file?

推荐答案

如果文件已经打开，则可以在进程浏览器中看到该文件拥有该文件的进程时间.

打开Process Explorer，从工具栏中选择视图句柄".对于每个进程，您将看到它为每个资源拥有的句柄.这也包括文件句柄.当然，这会给当前进程保留文件句柄，但不会提供有关哪个进程创建了文件的信息.

我不认为是否有任何办法以编程方式知道哪个进程创建了文件.
如果有办法，我也很想知道. :)

顺便说一下，寻找文件所有者的意图是什么.

If the file is already opened, you can see with the process explorer which process owns the file at that time.

Open Process Explorer, select "View Handles" from the toolbar. For each process you see the handles it owns for each resource. This includes file handles too. Of course this gives the current process holding the file handle but does not give info on which process created the file.

I dont think if there is any way to know programatically which process created the file.
If there is a way, I am also intrested to know. :)

By the way, what would be your intention in finding the owner of a file.

非常感谢您的帮助
但这不是我所需要的，我需要使用VC ++以编程方式了解
这样做的目的是我有一种在计算机上写入文件的病毒，并且我想知道杀死该死的病毒的过程:)

Thank you very much for your help
but that''s not what I need, I need to know programatically using VC++
and the intention to do that is I have a virus which writes files on my computer, and I want to know the process to kill this damned virus :)

我认为您必须创建一个文件过滤器驱动程序(如果要监视进程创建的文件). 进程监视器 [

I think you have to create a file filter driver if you want to monitor the files created by processes. Process monitor [^]is a typical example of such an aplication.

这篇关于如何知道创建文件的过程的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！