跟踪已打开特定文件的进程
问题描述:
从Windows的内核模式,我能够拦截和监视几乎所有在特定磁盘上执行的操作。当文件被打开为任何目的,我得到一个事件。
From kernel mode in Windows I'm able to intercept and monitor virtually all actions performed on a particular disk. When a file is opened for any purpose I get an event.
现在我想跟踪哪个应用程序打开它。我认为这应该是可能的,但不知道如何。
Now I want to trace which application that opened it. I think this should be possible but don't know how.
我使用Windows Win32 API中的标准文件管理功能。
I'm using the standard file management functions in Windows Win32 API.
提前感谢。
/ Robert
答
只需使用Win32 N.API从文件句柄获取pid。
15年的常见问题...
Just use Win32 N.API to get the pid from the File handle. It's a FAQ for 15 years...