How do you determine the last process to modify a file? - c#

I know how to get the user that last modified a file, but does Windows track the process that made the modification as well? If so, is there an API for looking that up?

No. It is not recorded.
You could enable Object Access Auditing on a particular folder (I wouldn't recommended using on the general file system). See this post and use with caution!
You might be able to use .NET's FileSystemWatcher class.

Windows does NOT track the process that modifies a file. Best you can hope for is to actively watch the file(s) you are interested in and take note when an application opens them. I've seen applications that do this (eg. Sysinternals FileMon) but do not know off the top of my head how to accomplish it.

If you want to determine the process that is modifying the file during the runtime of your program, you could use the Windows API or a minifilter driver to track what every process on the system is doing (similar to using Sysinternals FileMon with custom filters, as Boo pointed out), but that will apply only during the runtime of your "capture" program. Once the file is modified, however, all the traces are gone.

Could you use Windows security auditing to log access to the file?

You could use procmon.exe from https://live.sysinternals.com/procmon.exe
This is a live monitor, so not much use retrospectively.
Deselect (uncheck) the "File | Capture Events" menu item.
Clear the currently displayed events by selecting the "Edit | Clear
Display" menu item.
Configure a filter by:
a. Select the Process Monitor "Filter | Filter..." menu item. This will
display the "Process Monitor Filter" dialog.
b. Set a new filter by setting the "Display entries matching those
conditions" fields:
c. (pick)Path (pick)contains whatever.txt then (pick)Include
d. Click the "Add" button to add the new filter.
derived from instructions here: http://answers.perforce.com/articles/KB/3035

Related

How to write a window service that track the number of times a specific folder was Opened

I Hope that this is the Correct way of asking this question. first my problem is that i want to know that how many times a specific folder was opened from the time my windows service start's. I don't want to write a desktop application for this purpose because i want it to happen in the background and also later i may want to add some more functionality. So that is why i need to be it a windows service.
is there some kind of OS Event that i can handle during my code, i.e the event is fired when a user open's folder.
If this is not the correct method then please let me know some other method that can help.
That's not possible in C#. You can be notified of changes within a directory and infer from that that the directory was opened--but there are many times when a directory is opened and nothing will be changed. What you're describing is most like a File System Filter Driver.
From What is a File System Filter Driver:
A file system filter driver can filter I/O operations for one or more file systems or file system volumes. Depending on the nature of the driver, filter can mean log, observe, modify, or even prevent.
Writing a filter is relatively easy, considering there are templates that you can use to base your work from. But, they do consist of kernel-mode code meaning they're not written with C# (they are typically written with C) and they are drivers.
for more details: http://msdn.microsoft.com/en-us/library/windows/hardware/ff540382(v=vs.85).aspx

use the FileSystemWatcher class to document the user who is making changes

I have a console app that checks for changes occurring on the file system. I'm trying to find out if it's possible to get the username of the individual who is doing the changes?
You'd be better off enabling auditing on the folder.
Right-click the folder, go to Properties > Security tab > Advanced > Auditing tab. There are options for recording an audit log of events that happen in that folder.
No, it's not possible, the NTFS or FAT file system which is what Windows uses doesn't record this information. The best you could get about a file is last time it was changed.
You can't do this asynchronously with FileSystemWatcher, however you can do this synchronously using file system filter driver. The driver lets you get the user name of the account performing the operation.

How to execute an event of already launched application with file association?

After playing around with a new Windows Form project, I discovered that when you associate a file type with an executable in Windows, you can find the file path of the file that launched the application using args[0] from static void Main(string[] args)
Is it possible to launch an event on your application when you double click a file if your application is already open? (As obviously Main(string[] args) won't be triggered).
Example of an application with behavior I am attempting to replicate:
User Opens GIMP(in Windows)
User opens explorer and right clicks a .png file
User selects open with GIMP
Instead of creating a new application instance of GIMP, GIMP opens the picture in a new window within the instance of GIMP that was already opened.
In this case is GIMP employing multiple applications to accept files "opened" with file association? Or is it possible to do it with a single application "instance".
I'm having trouble with this as most of my searches tend to lead me towards file association as a Windows user (i.e. "How to associate .xls files with excel" articles).
There are a variety of options, but none of them come for free.
Your program's Main() can detect that there is another copy already running and hand the file name off to the already-running copy by some means you determine.
Your program can register as a DDE server and request that subsequent opens be performed via DDE. This is an old-fashioned technique from the 1990's that is generally not recommended for new programs.
You can register a custom drop target for your application, and have the drop target hand the file name to the already-running copy. This mechanism takes the form of a shell extension, and therefore is not suitable for C# due to CLR injection issues.
Given your constraints, option (1) appears to be the best option.
Raymond is right of course, but if you're looking for help with the implmentation of option (1) you should probably look at What is the correct way to create a single instance application? and .NET 4 single application instance and Switch to other instance of same application
You'll notice that detecting the application is pretty easy (use a mutex). Bringing the other application and sending it a filename can be more challenging.
There are three basic solutions presented in the answers to the previously linked questions
Use PostMessage to send a message to 1st instance. This uses HWND_BROADCAST which can have untended consequences.
Use Microsoft.VisualBasic.ApplicationServices.ApplicationBase Of course a reference to VisualBasic gives some C# devs the willies.
Use FindWindow which relies on a Windows Name.
Its also worth noting that if you want the existing application to be in the front you'll need to take special care because setting the foreground can only be given away not taken. See Foreground activation permission is like love: You can't steal it, it has to be given to you and AllowSetForegroundWindow and SetForegroundWindow
Microsoft created this functionality for Visual Basic .Net, and it can be used by C# too.
See the following post for a simple example in C#:
http://www.openwinforms.com/single_instance_application.html
This approach worked best for me: Enforcing Single Instance WPF Applications.
Especially, its solution for passing arguments also works in notify-icon only applications.

How to overload the Windows Explorer functionalities?

I want to catch the event of deletion, renaming or copying a file in Windows Explorer. For example, if a folder contains the files "test.a" and "test.b", and that I remove "test.a", then my program will remove the two (same for copy and rename).
I know how to add an entry to the context menu of Windows. But the goal isn't to add functionality to Windows. The goal is to redefine an existing function.
You could use hook for that. See this.
Use the shell notification APIs for this.

single exe with changeable settings

I am trying to make a simple application which will be used to point a web browser control to some of our web applications at my work. I would like to have only one exe file but also have an admin window to change some of the settings and have them persist when the application is closed. Is that possible? I have looked at the application settings resources part but as I understand that makes a file that loads the settings.
I don't want to have to parse a file or have anything but ONE file so please don't suggest doing that if it is possible.
Just use application settings - that will create a single file, you won't have to do any parsing, it'll all be fine.
It'll be separate to the exe file, but unless you meant that "ONE file" to include the executable and rewrite that on the fly, it should fit your description easily.
For example, let's build a console app that just remembers how many times it's been launched:
Create a new console application project
Go to the properties page, and click into the Settings tab.
Click on the link to create a settings file
Type in the table to create a setting called "LaunchCount" of type int. Make it either user scope or application scope, depending on whether you want it to be persisted per user or system-wide.
Hit Ctrl-S to save.
In the Main method in Program.cs, write this code:
Settings settings = Settings.Default;
settings.LaunchCount++;
Console.WriteLine("Launch count: {0}", settings.LaunchCount);
settings.Save();
Add the appropriate using directive for Settings (put the cursor in Settings and hit Ctrl-.)
Run the app several times, and observe the number increasing.
You can't have persisted settings without having a separate file...safely. You must either have a separate file, which is the standard and suggested approach approach, like the one created with Application settings, or you must use something like the registry to save settings.
Keep in mind, though, that using the registry is highly discouraged due to security reasons. Plus most companies don't allow access to registries anyway which means that anyone without this access could not use the settings feature.
There are several ways to do this. You can use a command-line argument to do that. Launch the app from the shell and put in your command line argument and change how it launches.
A UNIX-y approach is to look at the name of the exe and change behavior based on that. If I recall correctly, rsh and rlogin are the same executable - they just look at argv[0] to decide how to run. In windows, this is straight forward - look at System.Environment.GetCommandLineArgs - if there is a non-empty string in the 0th element of that, it will be your executable name.
For persisting settings, see Jon Skeet's answer.
I have to say that this is generally a bad idea, but I've done this before a long time ago in VB6. I created a Resource within the exe and then (somehow) directly manipulated it.
The problem is, is that this is usually not possible within the .NET framework due to it being memory resident. These guys tryed it out in .net and they ended up creating an program in IL to do the heavy lifting... Modify Emdeded String in C# compiled exe
Go with a settings file as Jon suggested!

Categories

Resources