如何了解哪个进程删除了硬盘驱动器上的文件 [英] How is it possible to understand which process deletes a file on the hard drive
问题描述
我有以下问题。我开发了一个将设置保留在首选项文件中的应用程序。在某个时间点,这些文件之一将被删除。无法从我的应用程序中删除该文件。
I have the following problem. I develop an application that keeps the settings in preference files. At some point in time, one of these files is being deleted. This file can not be deleted from my application.
如何理解在Windows下哪个进程删除了硬盘驱动器上的文件?
How is it possible to understand which process deletes a file on the hard drive under Windows?
编辑:
问题很少出现。我正在寻找一个可以作为服务或其他方式运行的程序,因此我可以为该应用程序做一个补丁,如果有人删除文件并写出完成的过程,则可以在运行时进行监视。
The problem appears rarely. I'm looking for a program that can run as a service or something else so I can do a patch for the application which to monitor in runtime if someone deletes the file and writes which process it has done.
推荐答案
如果可以使用C#解决方案,则可以使用 Microsoft.Diagnostics.Tracing.TraceEvent nuget包装。它是ETW的包装( Window的事件跟踪 s)事件。
If you're ok with a C# solution, you can use the Microsoft.Diagnostics.Tracing.TraceEvent nuget packagage. It's a wrapper over ETW (Event Tracing for Windows) events.
发生的事情是Windows内核跟踪了所有内容,您可以实时获取这些跟踪信息。
What happens is the Windows kernel traces everything, and you can get those traces in real time. But it's sometimes difficult to correlate them.
在您的情况下,您正在监视文件删除事件,但是不幸的是,这些事件没有附加任何过程信息,因此我使用了另一个事件。以下是一些示例代码:
In your case, you're looking after file delete events, but unfortunately, these events have no process information attached to it, so I've used another event. Here is some sample code:
using System;
using Microsoft.Diagnostics.Tracing.Parsers;
using Microsoft.Diagnostics.Tracing.Session;
namespace TraceDeletes
{
class Program
{
static void Main(string[] args)
{
if (TraceEventSession.IsElevated() != true)
{
Console.WriteLine("To turn on ETW events you need to be Administrator, please run from an Admin process.");
return;
}
// we're watching that particular file
string filePath = @"C:\temp\New Text Document.txt";
ulong fileKey = 0;
string processName = null;
using (var session = new TraceEventSession("whatever"))
{
// handle console CTRL+C gracefully
Console.CancelKeyPress += (sender, e) => session.Stop();
// we filter on events we need
session.EnableKernelProvider(
KernelTraceEventParser.Keywords.DiskFileIO |
KernelTraceEventParser.Keywords.FileIOInit);
// this event has no process information
session.Source.Kernel.FileIOFileDelete += data =>
{
if (data.FileKey == fileKey)
{
Console.WriteLine(data.FileName + " was deleted by " + processName);
fileKey = 0;
processName = null;
}
};
// this event has process information (id, name)
// it happens before delete, of course
// we remember the FileKey
session.Source.Kernel.FileIOQueryInfo += data =>
{
if (string.Compare(data.FileName, filePath, StringComparison.OrdinalIgnoreCase) == 0)
{
fileKey = data.FileKey;
processName = data.ProcessName;
}
};
// runs forever, press CTRL+C to stop
session.Source.Process();
}
}
}
}
如果您创建该 C:\temp\New Text Document.txt文件并使用Windows资源管理器将其删除,您应该会看到以下内容:
If you create that "C:\temp\New Text Document.txt" file and delete it using Windows Explorer, you should see this:
C:\temp\New Text Document.txt was deleted by explorer
删除:ETW当然可以与其他语言一起使用,但是使用此.NET库要容易得多。
Note: ETW is of course usable using other languages, but it's much easier with this .NET library.
这篇关于如何了解哪个进程删除了硬盘驱动器上的文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
