winapiapifilesystemsreaddirectorychangesw

ReadDirectoryChangesW and determining which process caused the change


How can I determine which processes are making changes to which files.

I did find this:

FileSystemWatcher: how to know which process made the change?

But I'm curious if anything has changed lately? Is it possible yet to determine which process is making changes to the file system, either using ReadDirectoryChangesW or anything else? I'd prefer not to have to write or use a kernel driver.


Solution

  • Create a security audit on the files you want to track. The information will be recorded in the security event log.