1

I'm trying to get a list of files accessed by a specific process by having either its process ID or by launching it under some command line utility.

I tried xperf but the documentation is really vague and despite a day of attempts, I can't get what I need.

Is anybody aware of such utility?

Note: The list of accessed file should include also the file that have been opened and closed.

snovelli
  • 111
  • 4
  • 2
    You can use a combination of Powershell and [Handle](https://technet.microsoft.com/en-ca/sysinternals/bb896655.aspx). See [Get-OpenFile](http://msgoodies.blogspot.co.uk/2009/03/get-openfile.html) for a starting point. – DavidPostill May 24 '16 at 12:28
  • @DavidPostill: I considered this but I think that with this approach I may loose some information, for example if a file is for example opened very briefly I may not be able to capture it – snovelli May 24 '16 at 12:51

1 Answers1

1

I know Process Monitor 3.2 will do what you want, but it is known primarily as GUI based tool. If you type procmon /?, you get a list of command line options. My suggestion would be to export a configuration (.pmf) and use it to export a CSV or XML file for analysis.

Unfortunately, having to create a configuration file beforehand does not allow you to just type the name of the process you want to follow. You can automate writing of filters, but requires you to use PowerShell.

enter image description here

Sun
  • 6,192
  • 10
  • 34
  • 54