How is it possible to understand which process deletes a file on the hard drive

Asked 2/8, 2018 at 12:59 Answered 13/8, 2018 at 5:56

Solved file window windows-10 delete-file

I have the following problem. I develop an application that keeps the settings in preference files. At some point in time, one of these files is being deleted. This file can not be deleted from my application.

How is it possible to understand which process deletes a file on the hard drive under Windows?

EDIT: The problem appears rarely. I'm looking for a program that can run as a service or something else so I can do a patch for the application which to monitor in runtime if someone deletes the file and writes which process it has done.

Crus answered 2/8, 2018 at 12:59 Comment(6)

As an administrator, you could enable auditing of file access and set up auditing on the file, or use Process Monitor. – Pasol 2/8, 2018 at 13:46

@eryksun see my edit. – Crus 2/8, 2018 at 14:3

Alternatively, you can prevent the file from being deleted by keeping it open without sharing delete access. – Pasol 2/8, 2018 at 14:10

I have to figure out who is trying to delete it, this is not a solution to the problem, this is workaround. – Crus 2/8, 2018 at 14:17

Configuring auditing is the least invasive approach since the kernel is already instrumented to support creation of audit events. Other options are basically like Process Monitor, left running with a specific filter looking for access on the file. This either requires a driver that hooks into the kernel to monitor the given file-system I/O requests (IRPs) or some kind of system-wide API hooking (e.g. something like Detours). You could look into how API Monitor works, to see if it can be integrated. – Pasol 2/8, 2018 at 14:29

@Crus You would have solved this by now had you simply enabled auditing instead of trying to badly reinvent a wheel - a wheel that you already have installed on your system. – Anabas 8/8, 2018 at 11:7

May be using Process Monitor, with this parameters «operation: SetDispositionInformationFile, Result: SUCCESS, detail:"Delete:True"» on your path.

More detail abut this :here and here

Tired answered 12/8, 2018 at 20:41 Comment(1)

The real answer! SetDispositionInformationEx & SetDispositionInformationFile are both about file deletion! – Sleep 11/11, 2020 at 20:47

If you're ok with a C# solution, you can use the Microsoft.Diagnostics.Tracing.TraceEvent nuget packagage. It's a wrapper over ETW (Event Tracing for Windows) events.

What happens is the Windows kernel traces everything, and you can get those traces in real time. But it's sometimes difficult to correlate them.

In your case, you're looking after file delete events, but unfortunately, these events have no process information attached to it, so I've used another event. Here is some sample code:

using System;
using Microsoft.Diagnostics.Tracing.Parsers;
using Microsoft.Diagnostics.Tracing.Session;

namespace TraceDeletes
{
    class Program
    {
        static void Main(string[] args)
        {
            if (TraceEventSession.IsElevated() != true)
            {
                Console.WriteLine("To turn on ETW events you need to be Administrator, please run from an Admin process.");
                return;
            }

            // we're watching that particular file
            string filePath = @"C:\temp\New Text Document.txt";
            ulong fileKey = 0;
            string processName = null;
            using (var session = new TraceEventSession("whatever"))
            {
                // handle console CTRL+C gracefully
                Console.CancelKeyPress += (sender, e) => session.Stop();

                // we filter on events we need
                session.EnableKernelProvider(
                    KernelTraceEventParser.Keywords.DiskFileIO |
                    KernelTraceEventParser.Keywords.FileIOInit);

                // this event has no process information
                session.Source.Kernel.FileIOFileDelete += data =>
                {
                    if (data.FileKey == fileKey)
                    {
                        Console.WriteLine(data.FileName + " was deleted by " + processName);
                        fileKey = 0;
                        processName = null;
                    }
                };

                // this event has process information (id, name)
                // it happens before delete, of course
                // we remember the FileKey
                session.Source.Kernel.FileIOQueryInfo += data =>
                {
                    if (string.Compare(data.FileName, filePath, StringComparison.OrdinalIgnoreCase) == 0)
                    {
                        fileKey = data.FileKey;
                        processName = data.ProcessName;
                    }
                };

                // runs forever, press CTRL+C to stop
                session.Source.Process();
            }
        }
    }
}

If you create that "C:\temp\New Text Document.txt" file and delete it using Windows Explorer, you should see this:

C:\temp\New Text Document.txt was deleted by explorer

Note: ETW is of course usable using other languages, but it's much easier with this .NET library.

Tenor answered 7/8, 2018 at 8:18 Comment(2)

My application is Java based. – Crus 7/8, 2018 at 10:21

@Crus - that's not a problem. The program above will catch file deletion from any app that runs on a Windows box. You just have to adapt it to your file path. – Tenor 7/8, 2018 at 14:17

Sysinternals from Microsoft should be able to help you.

https://learn.microsoft.com/en-us/sysinternals/downloads/

Look under File and Disk Utilities. There are utilities that can show you which process accesses/modifies a given file.

Lindo answered 8/8, 2018 at 10:7 Comment(0)

You could develop a service and use FileSystemWatcher and monitor the Deleted Event. FileSystemWatcher.Deleted Event

Dorena answered 13/8, 2018 at 5:56 Comment(0)

Recommended topics

Hot tags