4

Using FileSystemWatcher we can monitor the IO activity of a particular file system, but is there anyway to know that which one of the running processes is causing that IO?

More specifically, suppose a running process viz. abc.exe is creating a file text.txt on drive D. We can monitor that a file named text.txt has been created in drive D using FileSystemWatcher, but can we determine programmatically that a process named abc.exe is creating that particular file in drive D?

Anindya Chatterjee
  • 5,824
  • 13
  • 58
  • 82
  • Wonder if you can attempt to access the file and then catch the exception since it will be in use by another process and extract any valuable data out of the exception? – Aaron McIver Oct 19 '10 at 17:53
  • @Aaron, you get a generic exception that doesn't include details about which process is using the file. Also it's possible that you won't get an exception at all if the file was opened with shared access. – Samuel Neff Oct 21 '10 at 13:30

3 Answers3

7

handle.exe from SysInternals is a command line tool that allow programmatic access to which program has a particular file or directory open.

C:\>handle.exe c:\Windows\system32\stdole2.tlb

Produces this output:

Handle v3.42
Copyright (C) 1997-2008 Mark Russinovich
Sysinternals - www.sysinternals.com
devenv.exe         pid: 5240    184: C:\Windows\System32\stdole2.tlb
Ssms.exe           pid: 5000    1F4: C:\Windows\System32\stdole2.tlb

Which can be parsed programmatically.

http://technet.microsoft.com/en-us/sysinternals/bb896655.aspx

Samuel Neff
  • 73,278
  • 17
  • 138
  • 182
  • Though it is not an API, which I want, but as still it helps me somewhat to achieve my goal, I am selecting your response as a potential answer. – Anindya Chatterjee Oct 21 '10 at 08:26
  • @Anindya Chatterjee, I agree an actual API would be nicer. Unfortunately the source is no longer available. http://damieng.com/blog/2006/11/09/microsoft-withdraws-sysinternals-source-code – Samuel Neff Oct 21 '10 at 13:29
1

No, this is not possible. FSW sits at a very low level in the file system driver stack. It can only tell that the file system is getting modified, it doesn't know by whom. This is very much by design, it might be a process that sits half-way across the world, using a VPN connection over the internet to use a file share. There is no reasonable alternative for your request.

Hans Passant
  • 922,412
  • 146
  • 1,693
  • 2,536
0

I would recommend SysInternals utilities for this rather than rolling your own.

http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx

Dave Swersky
  • 34,502
  • 9
  • 78
  • 118
  • But those are applications and not API's to "determine programmatically" what the user wants to know. – Samuel Neff Oct 19 '10 at 18:10
  • @Sam - see Hans Passant's answer for the reason why this cannot be done trivially – Steve Townsend Oct 19 '10 at 18:22
  • @Steve Townsend, that doesn't make the reference to SysInternals a correct answer. – Samuel Neff Oct 19 '10 at 18:28
  • @Sam - I don't believe that I said anything about the merits of `sysinternals` in this instance. The point I meant to get across is that FSW is the best you can do in C#, as @Hans concisely explained. – Steve Townsend Oct 19 '10 at 18:36
  • @Steve Townsend, even if using a utility from SysInternals is the correct answer, a generic link to the SysInternals suite which lists all utilities is not as useful as a link to a specific utility with instructions on how to use it. Actually I checked and we do this in one of our own applications, so I'm posting specifics here. – Samuel Neff Oct 19 '10 at 19:21