堆栈内存溢出
  简体   繁体   English

跟踪打开特定文件的进程

[英]Tracing which process that has opened a particular file

 原文  2008-10-23 21:11:07       c++/ winapi/ file/ process-management

问题描述

From kernel mode in Windows I'm able to intercept and monitor virtually all actions performed on a particular disk. 从Windows中的内核模式,我能够拦截和监视在特定磁盘上执行的几乎所有操作。 When a file is opened for any purpose I get an event. 当为任何目的打开文件时,我会收到一个事件。

Now I want to trace which application that opened it. 现在我想跟踪打开它的应用程序。 I think this should be possible but don't know how. 我认为这应该是可能的,但不知道如何。

I'm using the standard file management functions in Windows Win32 API. 我正在使用Windows Win32 API中的标准文件管理功能。

Thanks in advance. 提前致谢。

/Robert /罗伯特·

4 个解决方案

解决方案1
 3  2008-10-23 21:15:12

Sysinternals Filemon (free) does this, and better yet they describe how they did it: Sysinternals Filemon (免费)做到这一点,更好的是他们描述了他们是如何做到的:

For the Windows 9x driver, the heart of FileMon is in the virtual device driver, Filevxd.vxd. 对于Windows 9x驱动程序,FileMon的核心位于虚拟设备驱动程序Filevxd.vxd中。 It is dynamically loaded, and in its initialization it installs a file system filter via the VxD service, IFSMGR_InstallFileSystemApiHook, to insert itself onto the call chain of all file system requests. 它是动态加载的,在初始化时,它通过VxD服务IFSMGR_InstallFileSystemApiHook安装文件系统过滤器,以将其自身插入到所有文件系统请求的调用链中。 On Windows NT the heart of FileMon is a file system driver that creates and attaches filter device objects to target file system device objects so that FileMon will see all IRPs and FastIO requests directed at drives. 在Windows NT上,FileMon的核心是一个文件系统驱动程序,它创建过滤器设备对象并将其附加到目标文件系统设备对象,以便FileMon将查看针对驱动器的所有IRP和FastIO请求。 When FileMon sees an open, create or close call, it updates an internal hash table that serves as the mapping between internal file handles and file path names. 当FileMon看到打开,创建或关闭调用时,它会更新内部哈希表,该表用作内部文件句柄和文件路径名之间的映射。 Whenever it sees calls that are handle based, it looks up the handle in the hash table to obtain the full name for display. 每当它看到基于句柄的调用时,它会在哈希表中查找句柄以获取显示的全名。 If a handle-based access references a file opened before FileMon started, FileMon will fail to find the mapping in its hash table and will simply present the handle's value instead. 如果基于句柄的访问引用在FileMon启动之前打开的文件,则FileMon将无法在其哈希表中找到映射,而只是显示句柄的值。

-Adam -亚当

解决方案2
 1  2008-10-23 21:26:03

Sysinternals did a so good job at doing it and explaining it, that some source code of old version are still available here for instance, and the code is well documented (imho). Sysinternals的在做这件事,并解释它做了一个好工作,那的旧版本的一些源代码仍然可以在这里例如,代码是有据可查的(恕我直言) It could be a good start as well. 这也可能是一个好的开始。

解决方案3
 0  2008-10-23 21:14:38

I would use the "handle.exe" app from Sysinternals. 我会使用Sysinternals的“handle.exe”应用程序。

Or, are you actually trying to do this programmactically? 或者,你实际上是在尝试做这个程序吗?

解决方案4
 -3 已采纳  

Just use Win32 N.API to get the pid from the File handle. 只需使用Win32 N.API从File句柄中获取pid。 It's a FAQ for 15 years... 这是15年的常见问题解答......

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何删除已打开句柄的文件? - How to remove the file which has opened handles? 确定哪个文件包含某些特定的头文件 - Identify which file has included some particular header file 如何从文件名中找到哪个进程对文件有句柄 - how to find which process has a handle on a file from the file name 在 C++ 中,如何检测该文件是否已被自己的进程打开? - In C++, how to detect that file has been already opened by own process? 如何找到我的进程在Linux中打开的文件句柄? - How do I find the file handles that my process has opened in Linux? Interogate哪个进程在Windows C ++中锁定了一个文件 - Interogate which process has locked a file in Windows C ++ 是否可以删除Windows下进程打开的文件? - Is it possible to delete a file that is opened by a process under windows? 哪个进程获得了信号量 - Which process has acquired semaphore 如何使用Qt只读取具有特定单词的文本文件中的一行 - how to read only one line in a text file which has particular word using Qt 有没有一种简单的方法来判断文件流是否已打开目录而不是文件? - Is there an easy way to tell if a File stream has opened a directory instead of a file?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM