File Watcher - 获取在 Windows 中创建文件的进程名称?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/428774/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
File Watcher - get the process name that created a file in Windows?
提问by BuddyJoe
Is there a good way to get the process name that created a file in Windows?
有没有一种方法可以获取在 Windows 中创建文件的进程名称?
I have a directory on a Windows 2000 Server
C:\WINNT\Tempthat is filling up with files named like:
70618199
21834082
我在 Windows 2000 Server
C:\WINNT\Temp上有一个目录,里面装满了如下文件:
70618199
21834082
They are always 121,201 KB in size.
它们的大小始终为 121,201 KB。
Programatically can I "capture" the program name or service name that is dropping files in this location?
我可以以编程方式“捕获”在此位置放置文件的程序名称或服务名称吗?
MORE INFO:
I did some more research on this. I renamed the file TIFF and was able to open it.
This machine functions as a document search tool via a custom written ASP.NET app.
The machine contains approx 50,000 TIFF documents on the E:\ drive. This machine also runs SQL Server 2000 w/ Full-Text Indexing turned on. Full-Text Indexing in no way touches the TIFFs - but it shouldn't because this is SQL right? But FTS does require Indexing service be turned on. The weird thing this TIFF seems to be the largest thing served off of the web server. Does IIS or Indexing Service use C:\WINNT\Temp for some kind of caching? Thoughts?
更多信息:
我对此进行了更多研究。我重命名了文件 TIFF 并能够打开它。
这台机器通过自定义编写的 ASP.NET 应用程序充当文档搜索工具。机器在 E:\ 驱动器上包含大约 50,000 个 TIFF 文档。这台机器还运行 SQL Server 2000,启用全文索引。全文索引绝不涉及 TIFF - 但它不应该因为这是 SQL 对吗?但是 FTS 确实需要打开索引服务。奇怪的是,这个 TIFF 似乎是 Web 服务器提供的最大的东西。IIS 或索引服务是否使用 C:\WINNT\Temp 进行某种缓存?想法?
RESOLUTION (Maybe?)This seems to be Microsoft Indexing Service.
When I shut it down, none of these files get created in WINNT\Temp.
It seems to grab the largest file it finds and copies it into WINNT\Temp.
This is weird. When you are dealing with a 100MB+ TIFF file, this can cause you to run out of disk space. Very annoying.
Guess I will just shut down the "Web" branch of my Indexing Services.
解决方案(也许?)这似乎是 Microsoft 索引服务。
当我关闭它时,这些文件都不会在 WINNT\Temp 中创建。
它似乎抓取了它找到的最大文件并将其复制到 WINNT\Temp。这很奇怪。当您处理 100MB 以上的 TIFF 文件时,这可能会导致磁盘空间不足。很烦人。
猜猜我会关闭我的索引服务的“Web”分支。
回答by Rowland Shaw
There's always Process monitorwhich replaces FileMon which will tell you which process is accessing the files in question.
总是有进程监视器代替 FileMon,它会告诉你哪个进程正在访问有问题的文件。
回答by z -
If you want something similar to fuser for windows, you can check out Process Explorer
如果你想要类似于 windows 的 fuser 的东西,你可以查看Process Explorer
It won't let you watch a file, but you can see if any current running processes are accessing that temp directory and creating similar named temp files.
它不会让您查看文件,但您可以查看是否有任何当前正在运行的进程正在访问该临时目录并创建类似的命名临时文件。
回答by Igor Zelaya
I've used FileMon.exe,but in only works on XP.
我使用过FileMon.exe,但仅适用于 XP。
回答by ZeroBugBounce
The only way I've found to do this from .NET programatically is to run Sysinternal's Command-line Handle Appand pass the file name in and read the console output to try to catch the source application with an open handle to the file.
我发现从 .NET 以编程方式执行此操作的唯一方法是运行Sysinternal 的命令行句柄应用程序并传入文件名并读取控制台输出以尝试捕获具有文件打开句柄的源应用程序。
Otherwise the utilities others have mentioned would do fine.
否则其他人提到的实用程序会很好。
回答by MSN
You could always set that directory to read-only and see what throws up. Although if it's a document server you might not want to do that.
您始终可以将该目录设置为只读,然后查看会出现什么情况。虽然如果它是一个文档服务器,你可能不想这样做。
回答by MSN
\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\service.exe
This is a Recycler Virus. It created a hidden folder called "Recycler" In all disk partitions and i was not able to delete them from windows Safe Mode. Norton, AVG Kaspersky failed to detect it or delete it.
这是一种回收病毒。它在所有磁盘分区中创建了一个名为“Recycler”的隐藏文件夹,我无法从 Windows 安全模式中删除它们。诺顿、AVG 卡巴斯基未能检测到或删除它。
I turn off system restore, rebooted the PC using a Boot disk went to command prompt and deleted "Recycler" folder from all drives. using command rmdir/s c:\recycler
我关闭系统还原,使用启动盘重新启动 PC 进入命令提示符并从所有驱动器中删除“Recycler”文件夹。使用命令 rmdir/sc:\recycler
This is the only thing that worked for me on Windows XP.
这是在 Windows XP 上唯一对我有用的东西。
回答by BuddyJoe
Just use standard Win32 api (NAPI).
只需使用标准的 Win32 api (NAPI)。
See Adv. Win32 api ng news://comp.os.ms-windows.programmer.win32 for source code (C)
见Adv。Win32 api ng news://comp.os.ms-windows.programmer.win32 源代码 (C)
