If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Rate Thread | Display Modes |
#1
|
|||
|
|||
Does a free app exist that can tell you WHAT is writing to the hard drive?
Does a free app exist that can tell you WHAT is writing to the hard drive?
Here's the situation that has been happening for months: 1. I'm very used to Veracrypt where there is a setting to have it unmount a mounted encrypted drive when nothing has been written to it for a given time period (usually around 30 minutes or so is the default). 2. On _other_ computers, this works just fine to automagically unmount the encrypted drive after nothing has been written to it for the stated time period. 3. But on _one_ of my devices, even when I walk away from the computer for longer than the stated period, most of the time (but not all the time), the encrypted drive remains mounted. Even overnight, it remains mounted (most of the time). Hmmmmmm.... Is something _writing_ to the encrypted drive that I don't know about? o How would I figure that out? NOTE: I don't know of anything I would have set up that would do that, e.g., I don't have keep-alive programs running, nor do I run indexers (at least not on purpose), nor do I have automagic backups, etc., that I know about. Obviously there could be _something_ that I don't know about that is writing to the drive ... but how would I find that out? It's not a "big deal" but it's an enigma to me. o Does a free app exist that can tell you WHAT is writing to the hard drive? |
Ads |
#2
|
|||
|
|||
Does a free app exist that can tell you WHAT is writing to the hard drive?
On Thu, 31 Jan 2019 17:41:36 -0000 (UTC), arlen holder
wrote: Does a free app exist that can tell you WHAT is writing to the hard drive? https://docs.microsoft.com/en-gb/sys...nloads/procmon You will need to filter Sent from my iFurryUnderbelly. -- p-0.0-h the cat Internet Terrorist, Mass sock puppeteer, Agent provocateur, Gutter rat, Devil incarnate, Linux user#666, ******* hacker, Resident evil, Monkey Boy, Certifiable criminal, Spineless cowardly scum, textbook Psychopath, the SCOURGE, l33t p00h d3 tr0ll, p00h == lam3r, p00h == tr0ll, troll infâme, the OVERCAT [The BEARPAIR are dead, and we are its murderers], lowlife troll, shyster [pending approval by STATE_TERROR], cripple, sociopath, kook, smug prick, smartarse, arsehole, moron, idiot, imbecile, snittish scumbag, liar, total ******* retard, shill, pooh-seur, scouringerer, jumped up chav, punk ass dole whore troll, no nothing innumerate religious maniac, lycanthropic schizotypal lesbian, the most complete ignoid, joker, and furball. NewsGroups Numbrer One Terrorist Honorary SHYSTER and FRAUD awarded for services to Haberdashery. By Appointment to God Frank-Lin. Signature integrity check md5 Checksum: be0b2a8c486d83ce7db9a459b26c4896 I mark any message from »Q« the troll as stinky |
#3
|
|||
|
|||
Does a free app exist that can tell you WHAT is writing to thehard drive?
arlen holder wrote:
Does a free app exist that can tell you WHAT is writing to the hard drive? Here's the situation that has been happening for months: 1. I'm very used to Veracrypt where there is a setting to have it unmount a mounted encrypted drive when nothing has been written to it for a given time period (usually around 30 minutes or so is the default). 2. On _other_ computers, this works just fine to automagically unmount the encrypted drive after nothing has been written to it for the stated time period. 3. But on _one_ of my devices, even when I walk away from the computer for longer than the stated period, most of the time (but not all the time), the encrypted drive remains mounted. Even overnight, it remains mounted (most of the time). Hmmmmmm.... Is something _writing_ to the encrypted drive that I don't know about? o How would I figure that out? NOTE: I don't know of anything I would have set up that would do that, e.g., I don't have keep-alive programs running, nor do I run indexers (at least not on purpose), nor do I have automagic backups, etc., that I know about. Obviously there could be _something_ that I don't know about that is writing to the drive ... but how would I find that out? It's not a "big deal" but it's an enigma to me. o Does a free app exist that can tell you WHAT is writing to the hard drive? You can use Procmon to run an ETW trace. By default it records everything, then you apply a filter to display just CreateFile and WriteFile events. https://docs.microsoft.com/en-us/sys...nloads/procmon The storage area used to record ETW starts as "RAM" until you change the configuration. On a small RAM machine, you might initially be limited by the amount of RAM available for traces. You can set the trace to be backed by a file system file instead. This extends the size of the trace. However, the outside limit for tracing is "200 million events". I've recorded an entire Macrium Backup operation before, and that fit within the bounds of a trace. But I can see that for longer term surveillance, eventually you'll hit the 200 million limit, rather than a storage limit. I think my biggest trace file to date, was on the order of 60GB or so. ProcMon reserves the right to roll over the file, and create multiple files with the same file name, so it would pay to create a folder first, then edit the ProcMon settings and put its file inside the folder. Quit ProcMon, start ProcMon, and now it will be tracing and using the file. You can also configure the filter to ignore profiling operations by ProcMon, as well as ignoring the process itself (so its own log activities won't be part of the log). You can save a trace containing only the filtered events. I think there's a CSV option as well. The other area of interest, would be the USN journal on each NTFS partition. It records stuff too, including date stamps. I've used some utility to look at what is in there, but don't remember the name of that now. I don't know if that was a nirsoft, or something else like it. The USN journal can be erased, so if you thought some information was missing, that's one way for logging details to be lost. I'm not really sure how the space on the USN journal is handled. I don't think the space is charged to the file system as such, which means the operating system undoubtedly reserves the right to trim or truncate or something. I've had a USN journal of size 16GB before, so they can get rather large (important if doing the suggestion below). So if ProcMon simply doesn't have the trace depth, then you'd have to engineer a way to get the details with the USN per partition. https://en.wikipedia.org/wiki/USN_Journal http://al.howardknight.net/msgid.cgi...nt-email.me%3E In an Administrator Command Prompt cd %userprofile% cd Downloads fsutil usn readjournal c: out2.txt ... Usn : 187743704 File name : out2.txt File name length : 16 Reason : 0x00000100: File create Time stamp : 8/8/2017 7:28:30 HTH, Paul |
#4
|
|||
|
|||
Does a free app exist that can tell you WHAT is writing to the hard drive?
No update ... except that I read the responses and will test them out.
Thanks. |
#5
|
|||
|
|||
Does a free app exist that can tell you WHAT is writing to the hard drive?
On Fri, 1 Feb 2019 14:02:13 -0800, T wrote:
Also, I am not sure sysinternals will tell you "what", but if so, I learn something new every day! Hi T, I need to log just the one exact "thing" that _wrote_ to X: overnight. I am sort of responding to everyone here who kindly offered advice. But I have no new news to report as I need to run the tests first. I think I see this problem differently than most of those who posted. I think it will be like trying to find a spelling error in a Latin encyclopedia. But I could easily be wrong. But I think the answer will be a royal unmitigated bitch to figure out. Maybe not. But if the output is a zillion items, then it will be almost impossible. The output should be _only_ the exact moment when _something_ literally _writes_ to the given removable drive, (X. If something didn't literally _write_ to X:, then the output should be nothing. And it has to _know_ this over a period of 24 hours. This won't work: 1. If the output looks like a latin encyclopedia, or, 2. If the output has to be watched in real time. Literally, the output should be trivial: A. What _wrote_ to X: overnight That's it. I need to log just the one exact "thing" that _wrote_ to X: overnight. |
#6
|
|||
|
|||
Does a free app exist that can tell you WHAT is writing to thehard drive?
On 1/31/2019 1:21 PM, Paul wrote:
arlen holder wrote: Does a free app exist that can tell you WHAT is writing to the hard drive? Here's the situation that has been happening for months: 1. I'm very used to Veracrypt where there is a setting to have it unmount a mounted encrypted drive when nothing has been written to it for a given time period (usually around 30 minutes or so is the default). 2. On _other_ computers, this works just fine to automagically unmount the encrypted drive after nothing has been written to it for the stated time period. 3. But on _one_ of my devices, even when I walk away from the computer for longer than the stated period, most of the time (but not all the time), the encrypted drive remains mounted. Even overnight, it remains mounted (most of the time). Hmmmmmm.... Is something _writing_ to the encrypted drive that I don't know about? o How would I figure that out? NOTE: I don't know of anything I would have set up that would do that, e.g., I don't have keep-alive programs running, nor do I run indexers (at least not on purpose), nor do I have automagic backups, etc., that I know about. Obviously there could be _something_ that I don't know about that is writing to the drive ... but how would I find that out? It's not a "big deal" but it's an enigma to me. o Does a free app exist that can tell you WHAT is writing to the hard drive? You can use Procmon to run an ETW trace. By default it records everything, then you apply a filter to display just CreateFile and WriteFile events. https://docs.microsoft.com/en-us/sys...nloads/procmon The storage area used to record ETW starts as "RAM" until you change the configuration. On a small RAM machine, you might initially be limited by the amount of RAM available for traces. You can set the trace to be backed by a file system file instead. This extends the size of the trace. However, the outside limit for tracing is "200 million events". I've recorded an entire Macrium Backup operation before, and that fit within the bounds of a trace. But I can see that for longer term surveillance, eventually you'll hit the 200 million limit, rather than a storage limit. I think my biggest trace file to date, was on the order of 60GB or so. ProcMon reserves the right to roll over the file, and create multiple files with the same file name, so it would pay to create a folder first, then edit the ProcMon settings and put its file inside the folder. Quit ProcMon, start ProcMon, and now it will be tracing and using the file. You can also configure the filter to ignore profiling operations by ProcMon, as well as ignoring the process itself (so its own log activities won't be part of the log). You can save a trace containing only the filtered events. I think there's a CSV option as well. The other area of interest, would be the USN journal on each NTFS partition. It records stuff too, including date stamps. I've used some utility to look at what is in there, but don't remember the name of that now. I don't know if that was a nirsoft, or something else like it. The USN journal can be erased, so if you thought some information was missing, that's one way for logging details to be lost. I'm not really sure how the space on the USN journal is handled. I don't think the space is charged to the file system as such, which means the operating system undoubtedly reserves the right to trim or truncate or something. I've had a USN journal of size 16GB before, so they can get rather large (important if doing the suggestion below). So if ProcMon simply doesn't have the trace depth, then you'd have to engineer a way to get the details with the USN per partition. https://en.wikipedia.org/wiki/USN_Journal http://al.howardknight.net/msgid.cgi...nt-email.me%3E Â*Â* In an Administrator Command Prompt Â*Â* cd %userprofile% Â*Â* cd Downloads Â*Â* fsutil usn readjournal c: out2.txt Â*Â* ... Â*Â* UsnÂ*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* : 187743704 Â*Â* File nameÂ*Â*Â*Â*Â*Â*Â*Â* : out2.txt Â*Â* File name lengthÂ* : 16 Â*Â* ReasonÂ*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* : 0x00000100: File create Â*Â* Time stampÂ*Â*Â*Â*Â*Â*Â* : 8/8/2017 7:28:30 HTH, Â*Â* Paul If you know the file name(s) you want to monitor a batch file can be used intermittently to test if a specific file is being held open for recording on the HD. CALL full file path NUL then ERRORLEVEL 1 indicates file is open for recording -- Zaidy036 |
#7
|
|||
|
|||
Does a free app exist that can tell you WHAT is writing to thehard drive?
Zaidy036 wrote:
On 1/31/2019 1:21 PM, Paul wrote: arlen holder wrote: Does a free app exist that can tell you WHAT is writing to the hard drive? Here's the situation that has been happening for months: 1. I'm very used to Veracrypt where there is a setting to have it unmount a mounted encrypted drive when nothing has been written to it for a given time period (usually around 30 minutes or so is the default). 2. On _other_ computers, this works just fine to automagically unmount the encrypted drive after nothing has been written to it for the stated time period. 3. But on _one_ of my devices, even when I walk away from the computer for longer than the stated period, most of the time (but not all the time), the encrypted drive remains mounted. Even overnight, it remains mounted (most of the time). Hmmmmmm.... Is something _writing_ to the encrypted drive that I don't know about? o How would I figure that out? NOTE: I don't know of anything I would have set up that would do that, e.g., I don't have keep-alive programs running, nor do I run indexers (at least not on purpose), nor do I have automagic backups, etc., that I know about. Obviously there could be _something_ that I don't know about that is writing to the drive ... but how would I find that out? It's not a "big deal" but it's an enigma to me. o Does a free app exist that can tell you WHAT is writing to the hard drive? You can use Procmon to run an ETW trace. By default it records everything, then you apply a filter to display just CreateFile and WriteFile events. https://docs.microsoft.com/en-us/sys...nloads/procmon The storage area used to record ETW starts as "RAM" until you change the configuration. On a small RAM machine, you might initially be limited by the amount of RAM available for traces. You can set the trace to be backed by a file system file instead. This extends the size of the trace. However, the outside limit for tracing is "200 million events". I've recorded an entire Macrium Backup operation before, and that fit within the bounds of a trace. But I can see that for longer term surveillance, eventually you'll hit the 200 million limit, rather than a storage limit. I think my biggest trace file to date, was on the order of 60GB or so. ProcMon reserves the right to roll over the file, and create multiple files with the same file name, so it would pay to create a folder first, then edit the ProcMon settings and put its file inside the folder. Quit ProcMon, start ProcMon, and now it will be tracing and using the file. You can also configure the filter to ignore profiling operations by ProcMon, as well as ignoring the process itself (so its own log activities won't be part of the log). You can save a trace containing only the filtered events. I think there's a CSV option as well. The other area of interest, would be the USN journal on each NTFS partition. It records stuff too, including date stamps. I've used some utility to look at what is in there, but don't remember the name of that now. I don't know if that was a nirsoft, or something else like it. The USN journal can be erased, so if you thought some information was missing, that's one way for logging details to be lost. I'm not really sure how the space on the USN journal is handled. I don't think the space is charged to the file system as such, which means the operating system undoubtedly reserves the right to trim or truncate or something. I've had a USN journal of size 16GB before, so they can get rather large (important if doing the suggestion below). So if ProcMon simply doesn't have the trace depth, then you'd have to engineer a way to get the details with the USN per partition. https://en.wikipedia.org/wiki/USN_Journal http://al.howardknight.net/msgid.cgi...nt-email.me%3E In an Administrator Command Prompt cd %userprofile% cd Downloads fsutil usn readjournal c: out2.txt ... Usn : 187743704 File name : out2.txt File name length : 16 Reason : 0x00000100: File create Time stamp : 8/8/2017 7:28:30 HTH, Paul If you know the file name(s) you want to monitor a batch file can be used intermittently to test if a specific file is being held open for recording on the HD. CALL full file path NUL then ERRORLEVEL 1 indicates file is open for recording I just noticed something. 1) Set a filter like "CreateFile" and "WriteFile" in ProcMon. 2) In the Filter menu, set the tick box "Drop Filtered Events" 3) Now it only records the events in (1) and no other. 4) Under File, untick the "Capture Events" tick box. 5) Under Edit, select "Clear Display". 6) Under File, tick the "Capture Events" tick box to start another trace. 7) Now the new "Drop Filtered Events" will work, and you'll have a horizon of 200 million filtered events. So it is possible to do it with ProcMon. https://i.postimg.cc/pdp1G0kT/procmon-can-do-it.gif Paul |
Thread Tools | |
Display Modes | Rate This Thread |
|
|