During my consulting, and troubleshooting sessions, I use quite a few tools. Why do I need to use these tools? Most (if not all) software operate on files, as they have to load their data or save their data. The best tool that I've found for monitoring file operations on Windows is Process Monitor.

Prior to being acquired by Microsoft, part of Process Monitor is a separate tool known as File Monitor. And from the name, it's easy to guess what the tool does.

It monitors all file operations performed by applications. Here's what it looks like:

Process Monitor allows you to monitor applications fitting a particular criteria, such as:

  • Architecture
  • Category
  • Command Line
  • Image Path
  • Path
  • Process Name
  • Process ID
  • Thread ID
  • Parent PID
  • Result
  • Operation
  • ... and much more!

It is one of the tools I frequently use, whenever I'm wondering what file operations are being performed by any application. It is also one of the most used tools during the time I spent at ArcSight, and at CodeGear (nee Borland). I've used it very often whenever I need to consult, troubleshoot issues (such as figuring out whether a SmartConnector / FlexConnector is accessing some particular file), hack software, or find out what's going on, under the hood.

It can be used to see if a file is deleted, opened, created, read, write, whether a buffer overflow occurred, etc.

Keep this tool handy. You'll find it useful someday.