How would I determine what program/process created a file?
How would I determine what program/process created a file?
How can I determine what program/process created a file, after a event has been fired? i.e after the modified, created, rename, etc events.
That's not really possible in any easy way.
What you could do is to enumerate all open file handles of all processes to check which process has a handle open to the file you're interested in. This would be a VERY brute force approach, though, and I don't recommend to use this, unless you absolutely ultimately *must* know it.
What you could do is to enumerate all open file handles of all processes to check which process has a handle open to the file you're interested in. This would be a VERY brute force approach, though, and I don't recommend to use this, unless you absolutely ultimately *must* know it.