0

Is there a way to detect when a file is open by another process?
I've tried the following

  • Search for handles in processes to get if file is open
    This only helps for programs that keep the file open for use. but doesn't work for even simple apps like notepad.exe, notepad++ that close the file immediately after loading to memory.
  • Continuously check for the Date Accessed property of the file to know it was opened when it changes.
    Doesn't work since it doesn't change when file is opened. eg I opened and read it in notepad but never changed.
  • Use FileSystemWatcher to get event triggered when file is opened
    Only can works for events such as Changed, Created, Deleted, Renamed.... and doesn't detect when file is opened.


So is there any way to detect this? I am thinking it is possible because most antiviruses can sharply detect and block infected when files are opened.

Abraham
  • 12,140
  • 4
  • 56
  • 92
  • 1
    Antiviruses use file system filter drivers - https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/about-file-system-filter-drivers. – nevilad Feb 14 '21 at 12:30
  • 1
    there is a library that can help you but it's not free, and its price is very high because what you what to do is very hard: 2.5k https://www.callback.com/cbfsfilter – Giox Feb 14 '21 at 12:39
  • Possible duplicate of https://stackoverflow.com/questions/4583213/monitoring-io-like-sysinternals-procmon – Caius Jard Feb 14 '21 at 13:00
  • @CaiusJard that one is asking about `CreateFile` and such events that involve file modification. That's easy to do using `FileSystemWatcher`. – Abraham Feb 14 '21 at 13:04
  • No, it's more about how to listen to file events like Procmon does - don't get hung up on one particular event. Read it again, and the answer, and the questions the answer links to etc. – Caius Jard Feb 14 '21 at 13:07

0 Answers0