Ask HN: What is the best way to see what files are being read in Windows?
5 points
17 hours ago
| 3 comments
| HN
I am looking at migrating a Windows server (Windows Server 2012 R2 Standard) and I am wondering if there is some way to learn what files are being read. I know the operating system keeps this metadata but I have also learned that this metadata is unreliable. Is there a third party tool or some kind of powershell script I can use to track this data?
runjake
12 hours ago
[-]
The most approachable way is to use Procmon from the Sysinternals tools released by Microsoft.

https://learn.microsoft.com/en-us/sysinternals/downloads/pro...

Here's a good, basic video tutorial from Scott Hanselman, explainer extraordinaire:

https://www.youtube.com/watch?v=pjKNx41Ubxw

reply
rolph
15 hours ago
[-]
generally you need a process, or file hook; or you want to monitor API calls of running processes

https://kevgo.dev/posts/fs_capture/

https://github.com/evandowning/windbg-trace

for reference, your goal is to detect operations on files and report file, i.e. build a process monitor that you can trust and have granular control.

https://learn.microsoft.com/en-us/windows/win32/api/fileapi/...

the system calls have consequences and results that you may use for your way of detecting file status. very oversimple example is just try to do something to a file, and look at results. if the file is unused, you will get results; if the file is busy, you will get some sort of exception or system flag.

return value:

https://learn.microsoft.com/en-us/windows/win32/api/fileapi/...

GetLastError:

https://learn.microsoft.com/en-us/windows/win32/api/errhandl...

also for reference :

https://learn.microsoft.com/en-us/windows/win32/api/

reply
high_byte
13 hours ago
[-]
sysinternals
reply
high_byte
13 hours ago
[-]
specifically procmon will probably be what you want
reply