如何了解哪个进程删除了硬盘上的文件 [英] How is it possible to understand which process deletes a file on the hard drive

问题描述

我有以下问题.我开发了一个将设置保存在首选项文件中的应用程序.在某个时间点，正在删除其中一个文件.无法从我的应用程序中删除此文件.

I have the following problem. I develop an application that keeps the settings in preference files. At some point in time, one of these files is being deleted. This file can not be deleted from my application.

在Windows下如何知道是哪个进程删除了硬盘上的文件?

How is it possible to understand which process deletes a file on the hard drive under Windows?

问题很少出现.我正在寻找一个可以作为服务或其他东西运行的程序，这样我就可以为应用程序打一个补丁，如果有人删除文件并写入它已经完成的进程，我可以在运行时监控它.

The problem appears rarely. I'm looking for a program that can run as a service or something else so I can do a patch for the application which to monitor in runtime if someone deletes the file and writes which process it has done.

推荐答案

如果你对 C# 解决方案没问题，你可以使用 Microsoft.Diagnostics.Tracing.TraceEvent nuget 包.它是 ETW 的包装器(Window 事件跟踪s) 事件.

If you're ok with a C# solution, you can use the Microsoft.Diagnostics.Tracing.TraceEvent nuget packagage. It's a wrapper over ETW (Event Tracing for Windows) events.

Windows 内核会跟踪所有内容，您可以实时获取这些跟踪信息.但有时很难将它们关联起来.

What happens is the Windows kernel traces everything, and you can get those traces in real time. But it's sometimes difficult to correlate them.

在您的情况下，您正在处理文件删除事件，但不幸的是，这些事件没有附加任何进程信息，因此我使用了另一个事件.下面是一些示例代码:

In your case, you're looking after file delete events, but unfortunately, these events have no process information attached to it, so I've used another event. Here is some sample code:

using System;
using Microsoft.Diagnostics.Tracing.Parsers;
using Microsoft.Diagnostics.Tracing.Session;

namespace TraceDeletes
{
    class Program
    {
        static void Main(string[] args)
        {
            if (TraceEventSession.IsElevated() != true)
            {
                Console.WriteLine("To turn on ETW events you need to be Administrator, please run from an Admin process.");
                return;
            }

            // we're watching that particular file
            string filePath = @"C:	empNew Text Document.txt";
            ulong fileKey = 0;
            string processName = null;
            using (var session = new TraceEventSession("whatever"))
            {
                // handle console CTRL+C gracefully
                Console.CancelKeyPress += (sender, e) => session.Stop();

                // we filter on events we need
                session.EnableKernelProvider(
                    KernelTraceEventParser.Keywords.DiskFileIO |
                    KernelTraceEventParser.Keywords.FileIOInit);

                // this event has no process information
                session.Source.Kernel.FileIOFileDelete += data =>
                {
                    if (data.FileKey == fileKey)
                    {
                        Console.WriteLine(data.FileName + " was deleted by " + processName);
                        fileKey = 0;
                        processName = null;
                    }
                };

                // this event has process information (id, name)
                // it happens before delete, of course
                // we remember the FileKey
                session.Source.Kernel.FileIOQueryInfo += data =>
                {
                    if (string.Compare(data.FileName, filePath, StringComparison.OrdinalIgnoreCase) == 0)
                    {
                        fileKey = data.FileKey;
                        processName = data.ProcessName;
                    }
                };

                // runs forever, press CTRL+C to stop
                session.Source.Process();
            }
        }
    }
}

如果您创建C: empNew Text Document.txt"文件并使用 Windows 资源管理器将其删除，您应该会看到:

If you create that "C: empNew Text Document.txt" file and delete it using Windows Explorer, you should see this:

C:	empNew Text Document.txt was deleted by explorer

注意:ETW 当然可以使用其他语言，但是使用这个 .NET 库会更容易.

Note: ETW is of course usable using other languages, but it's much easier with this .NET library.

这篇关于如何了解哪个进程删除了硬盘上的文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！