| ▲ | Ask HN: What is the best way to see what files are being read in Windows? | |||||||
| 5 points by jacobwilliamroy 2 days ago | 4 comments | ||||||||
I am looking at migrating a Windows server (Windows Server 2012 R2 Standard) and I am wondering if there is some way to learn what files are being read. I know the operating system keeps this metadata but I have also learned that this metadata is unreliable. Is there a third party tool or some kind of powershell script I can use to track this data? | ||||||||
| ▲ | runjake 2 days ago | parent | next [-] | |||||||
The most approachable way is to use Procmon from the Sysinternals tools released by Microsoft. https://learn.microsoft.com/en-us/sysinternals/downloads/pro... Here's a good, basic video tutorial from Scott Hanselman, explainer extraordinaire: | ||||||||
| ▲ | rolph 2 days ago | parent | prev | next [-] | |||||||
generally you need a process, or file hook; or you want to monitor API calls of running processes https://kevgo.dev/posts/fs_capture/ https://github.com/evandowning/windbg-trace for reference, your goal is to detect operations on files and report file, i.e. build a process monitor that you can trust and have granular control. https://learn.microsoft.com/en-us/windows/win32/api/fileapi/... the system calls have consequences and results that you may use for your way of detecting file status. very oversimple example is just try to do something to a file, and look at results. if the file is unused, you will get results; if the file is busy, you will get some sort of exception or system flag. return value: https://learn.microsoft.com/en-us/windows/win32/api/fileapi/... GetLastError: https://learn.microsoft.com/en-us/windows/win32/api/errhandl... also for reference : | ||||||||
| ▲ | high_byte 2 days ago | parent | prev [-] | |||||||
sysinternals | ||||||||
| ||||||||