sam_738844
Wise Old Owl
try unlocker Free Download Unlocker 1.9.1 - Unlocker can unlock in-use files
sam_738844
Wise Old Owl
i googled some stuff, unlocker is actually the reverse engineered stuff, to see what all process are acessing a particular file, rather than what all files a process is using. Yes i was just about to suggest process monitor. I will do some hands-on over it and will let u know.
Aslo AFIR, tune up utilities has some same operational benift in their own "tune up task manager" which replaces the windows default and had some options like "see open files" for an exe or program. You can check with that too.
Okay..so PMON is the thing...here it goes..pretty simple...tabs are highlighted...which are full of vital info.
View attachment 8850
Aslo AFIR, tune up utilities has some same operational benift in their own "tune up task manager" which replaces the windows default and had some options like "see open files" for an exe or program. You can check with that too.
Okay..so PMON is the thing...here it goes..pretty simple...tabs are highlighted...which are full of vital info.
View attachment 8850
Last edited:
harshilsharma63
DIY FTW!
I get what you want to know, but I don't think it's possible, and I've checked Process explorer and I doesn't do that, and if process explorer cannot do that, I don't think any other utility can do that.
That utility does not do what the OP wants, it just displays the Image path, which it the URL of the file which created that process. Did you even get what OP wants?
sam_738844
Wise Old Owl
Might i suggest you to look and look more closely at the screenshot. Such as below
18:05:55,8171303 Explorer.EXE 1088 ReadFile C:\Windows\System32\mstsc.exe SUCCESS Offset: 1.005.568, Length: 16.384, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal
The above line depicts that Explorer.exe which has a process ID 1088 has operated a ReadFile Operation on the resource path C:\Windows\System32\mstsc.exe and the operation was successful. Also time and length of the operation is also mentioned. See there also I/O flags and paging/segmentation info there along with cache. I hope you got my point, also as you said "its not the URL of the file that creatd that process" , for example , explorer.exe is a kernel process and initiated by kernel threads and is not initiated by any file, if that was the case, your system would not be able to start the OS before any file is initiated, and that...doesnt not happen, when windows starts, explorer is shared and allocated memory and resources by STS and LTS to trigger other functionalities and API's. then explorer.exe gets hold of the filehandler, library and file system itself ( some indexing may be) and locates all files so that you can see ur dear C:\ D:\
drives!!
Also see these.... what can u conclude after these below...all these files created Explorer.exe??? Explore.exe "ghanta" hain kya ki sab bajane lage hain?
18:05:55,8439828 Explorer.EXE 1088 CreateFileMapping C:\Windows\System32\mstsc.exe SUCCESS SyncType: SyncTypeOther
18:05:55,8446258 Explorer.EXE 1088 Load Image C:\Windows\System32\mstsc.exe SUCCESS Image Base: 0x94c0000, Image Size: 0x100000
18:05:55,8446615 Explorer.EXE 1088 RegOpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\SideBySide SUCCESS Desired Access: Read
18:05:55,8447170 Explorer.EXE 1088 RegQueryValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\PreferExternalManifest NAME NOT FOUND Length: 20
18:05:55,8447348 Explorer.EXE 1088 RegCloseKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide SUCCESS
18:05:55,8447742 Explorer.EXE 1088 ReadFile C:\Windows\System32\mstsc.exe SUCCESS Offset: 397.824, Length: 16.384, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal
18:05:55,8655925 Explorer.EXE 1088 RegCreateKey HKCU\System\CurrentControlSet\Control\Network\ShowWirelessConnectingOnStart SUCCESS Desired Access: Create Sub Key
18:05:55,8656461 Explorer.EXE 1088 RegCloseKey HKCU\System\CurrentControlSet\Control\Network\ShowWirelessConnectingOnStart SUCCESS
18:05:55,8657779 Explorer.EXE 1088 ReadFile C:\Windows\System32\pnidui.dll SUCCESS Offset: 1.052.160, Length: 16.384, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O, Priority: Normal
18:05:55,8723467 Explorer.EXE 1088 CreateFile C:\Windows\System32\mstsc.exe.Config NAME NOT FOUND Desired Access: Generic Read/Execute, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a
18:05:55,8724237 Explorer.EXE 1088 QueryBasicInformationFile C:\Windows\System32\mstsc.exe SUCCESS CreationTime: 14/07/2009 7:01:53, LastAccessTime: 14/07/2009 7:01:53, LastWriteTime: 14/07/2009 8:14:27, ChangeTime: 11/01/2012 23:28:07, FileAttributes: A
Last nail in the coffin...
see below
18:09:41,8955252 svchost.exe 832 CreateFile C:\Windows\Prefetch\SKYPENAMES2.EXE-9C9B11B0.pf SUCCESS Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a, Impersonating: NT AUTHORITY\SYSTEM, OpenResult: Opened
It measn, as earlier stated , svchost.exe a system process has done Createfile operation, or just created a .pf file in that preftch file path....now...
A PF file extension refers to a prefetch file in Windows, which contains information of programs you commonly run in a Windows operating system. These include programs that run in the background and those that run during start up. PF files are created for programs you frequently use to make them load more quickly whenever you use them.
A prefetch is a Windows file that indexes information of programs you usually use. When you run Microsoft Word, it needs to load several things like DLL files and other drivers that it depends on before it is launched. These files are scattered in different directories, which Windows has to fetch every time you run Microsoft Word. The prefetch files speed up this process by indexing the information needed to launch programs you typically use. Instead of locating every directory for the drivers needed to launch Microsoft Word, it simply checks the prefetch file then proceeds to launch the program.
So if your inference is true... a .pf file just created a system process ?!!!
since when they are doing that??
Last edited:
harshilsharma63
DIY FTW!
OP
anirbandd
Conversation Architect
okay... i tried out ProcMon.. and got the basic hang of it, using filters and logging to files...
its a lovely software, just the thing i wanted, only with a lot more detail than i wanted.
@sam: nice explanation.. only thing is that its hovering at the height of the Eiffel tower, and i'm below 6"
its a lovely software, just the thing i wanted, only with a lot more detail than i wanted.
@sam: nice explanation.. only thing is that its hovering at the height of the Eiffel tower, and i'm below 6"
sam_738844
Wise Old Owl
that's how i roll baby