Article
Julian Matthews · Feb 9, 2021 1m read

Tracking down source of bothersome file creation in a Windows environment

Hey everyone!

I recently learnt something new while working with WRC on an issue, and I wanted to share with everyone on the off chance it could help someone else.

Scenario:

Files are being inexplicably written to a folder on your server and, due to the number of files in the folder and general system throughput, it is not possible to work through the files to track down the source.

Plan of attack:

Use Process Monitor from Microsoft to monitor the affected folder, and then use the associated Process ID to lookup what process within your production is generating the files.

Step by step

  1. Download Process Monitor from Microsoft, and extract the zip to the affected machine.
  2. Run the exe relevant to your system.
  3. You will quickly see this fill with activity, so we need to filter out everything except the folder of interest. Press CTRL+L to bring up the filter window:
  4. Add the path as shown above, and then hit Apply/OK
  5. Once there is activity within the folder, we should be able to pin down the PID that is creating the file:
  6. Navigate to the processes page in the management portal (System Operation>Processes), filter using the PID shown above, and view the process.
  7. The Details tab will reveal the Namespace, and under the Variables tab, you should see an entry for ConfigName. This is the culprit:

From here, you can then begin looking into the class behind the config item in your production to see what has gone wrong. Chances are, your own code is the real culprit.

30
1 0 0 57