Files Used by Process

One questions that has come up a number of times for me is 'what files does this program use?'

Sometimes I'm interested in the data files it may touch, sometimes I'm interested in the DLLs it might be pulling in. In many cases, I can use the Windows Resource Monitor tool, available from Task Manager. For a good overview, see this post.

Sometimes, however, I want a detailed log. There are tools such as Process Monitor from the Sysinternals suite are great for this.

Today I'll show you how to automate the collection of this information with some simple built-in tools.

Overview

A straightforward way to get the file access information we want is to use ETW traces. ETW is again a topic for another day, a very powerful framework with all sorts of uses. You could do worse than checking Random ASCII to learn more if you're interested.

So, our plan is to start tracing file access, run our app, then process that trace.

Tracing file access

The logman tool is a built into Windows and can be used to create logs of both performance counters (things like CPU usage) and traces (discrete events).

Events are generated by providers. To see a list of installed providers in the system, you can run this from an elevated (Administrator) command prompt.

logman query providers > providers.txt

This will get a list of providers and write it to a providers.txt file. There are all sorts of interesting providers there to go play with.

We'll use the kernel file provider, creating and starting our traces like this.

logman create trace myfiles -o C:\Users\Public\myfiles -p Microsoft-Windows-Kernel-File logman start myfiles

After these commands, we can run the program and have it do whatever we're interested in, and ETW will be collecting traces into files in the background. For convenience, go check the process id that you're looking at - you can use this later. You can simply run tasklist to get the list of running processes.

When we're done, we stop the trace, create a report, and delete it.

logman stop myfiles pushd C:\Users\Public tracerpt myfiles_000001.etl logman delete myfiles

Processing results

One of the files created is called dumpfile.xml. You can open it in notepad to take a look - it's usually nicely formatted (as far as XML formatting goes in any case).

We can simply load this and run some XPath queries. Let's do some PowerShell.

$doc = New-Object -Type System.Xml.XmlDocument $doc.Load("C:\Users\Public\dumpfile.xml") $nsmgr = New-Object -Type System.Xml.XmlNamespaceManager -ArgumentList $doc.NameTable $nsmgr.AddNamespace( "e", "http://schemas.microsoft.com/win/2004/08/events/event") $doc.SelectNodes( "/Events/e:Event[e:RenderingInfo/e:Task = 'Create']/e:EventData/e:Data[@Name='FileName']", $nsmgr)

A few things to note:

The root node has no namespace, but all its direct and recursive children do.
We create a namespace manager so we can use the prefix 'e' when making a query.
We're looking at events where a file is created. Note that 'created' refers to a handle being created (kernel traces wear kernel-colored glasses after all), so it may be later written, read or even deleted.

This shows all the files addressed during the trace, but you'll probably want to limit your query to the process you were interested in. If you remembered the process ID, it's a simple change. Let's say it was 12345.

$doc.SelectNodes( "/Events/e:Event[e:System/e:Execution/@ProcessID = '12345' and e:RenderingInfo/e:Task = 'Create']/e:EventData/e:Data[@Name='FileName']", $nsmgr)

Happy investigations!

Tags: debugging

Home