3

My goal is to set up a service to watch a network folder containing about 200 .exe files. What I'd like is to have the service update a log each time one of the .exes is launched. Basically I'd like to log usage of each application by recording every time one one of them is used.

I've tried using the FileSystemWatcher class to accomplish this, code below, figuring that the LastAccess filter would do the trick, but it seems it won't. When I run this code no event is raised when the applications are opened.

Is there some way of using the FileSysteWatcher class to do this kind of monitoring? Is there any way to do what I'm attempting?

Private Sub StartWatch()

    Dim exeWatcher As New FileSystemWatcher

    exeWatcher.Path = "<path>"
    exeWatcher.Filter = "*.exe"
    exeWatcher.IncludeSubdirectories = True
    exeWatcher.NotifyFilter = (NotifyFilters.LastAccess Or NotifyFilters.LastWrite Or NotifyFilters.FileName Or NotifyFilters.DirectoryName Or NotifyFilters.Attributes)

    AddHandler exeWatcher.Changed, AddressOf ExeChanged

    exeWatcher.EnableRaisingEvents = True

End Sub

Private Sub ExeChanged(source As Object, e As FileSystemEventArgs)
    Console.WriteLine("File: " & e.FullPath & " " & DateTime.Now.ToString())
End Sub
Seth
  • 199
  • 9
  • 1
    In a word, no. The filesystem keeps track of the files themselves, not what the OS does with them; execution is not performed 'by the file', the file is copied to RAM and executed there. Sort of.. lol – Grim Jul 03 '14 at 13:23
  • @Grim That's a helpful distinction. Thanks. – Seth Jul 03 '14 at 14:12

2 Answers2

2

Take a look at this Stack Overflow answer, which involves monitoring WMI Win32_Process instance creation events (basically, when WMI registers that a new process has been created). This is probably the most effective way outside of a C++ kernel hook to find out when a process has started.

At that point, you just need to use a regular expression to test the file path against to see if it's originating from that folder, and respond appropriately if it is.

Community
  • 1
  • 1
Brandon Langley
  • 553
  • 3
  • 9
  • 1
    This only works for processes on the local system, or after connecting to a specific remote system. The exe files are on a network share, indicated that potentially a number of different computers are launching the programs. He's have to connect to each machine to get the info this way... though he'll likely need to do that no matter what. – Joel Coehoorn Jul 03 '14 at 13:33
  • Yeah, painful but true. Even if he successfully came up with a way to monitor the network share for access, Windows has such a granular understanding of 'access', and yet does not actually have a way of expressing 'accessed to execute'. So every time someone browsed the folder with explorer, looked at the properties, etc, he would see a 'read'. – Brandon Langley Jul 03 '14 at 13:43
  • Thanks. This was going to be my next question - how to get WMI to work on a network share. From these comments it seems I'll have to go in another direction to get the information I need. I'll mark this answer as accepted because it it really does point me to a solution for what I asked about. – Seth Jul 03 '14 at 14:15
1

The file system watcher cannot be used to accomplish this because it doesn't know why the file is being accessed. It could be accessed to show the properties of the executable or someone copied it to their local hard drive.

If your goal is to see what machines are running your executable, you can use Windows Management Instrumentation (WMI) to remotely query a machine for Win32_Process and determine if your process is running there.

vcsjones
  • 138,677
  • 31
  • 291
  • 286