Page 1 of 1

How would I determine what program/process created a file?

Posted: Tue Aug 29, 2006 7:54 pm
by Fatmoe
How can I determine what program/process created a file, after a event has been fired? i.e after the modified, created, rename, etc events.

Posted: Wed Aug 30, 2006 7:11 am
by madshi
That's not really possible in any easy way.

What you could do is to enumerate all open file handles of all processes to check which process has a handle open to the file you're interested in. This would be a VERY brute force approach, though, and I don't recommend to use this, unless you absolutely ultimately *must* know it.