A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Windows 10 » Windows 10 Help Forum
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

Does a free app exist that can tell you WHAT is writing to the hard drive?



 
 
Thread Tools Rate Thread Display Modes
  #1  
Old January 31st 19, 06:41 PM posted to alt.comp.os.windows-10,alt.comp.freeware
arlen holder
external usenet poster
 
Posts: 130
Default Does a free app exist that can tell you WHAT is writing to the hard drive?

Does a free app exist that can tell you WHAT is writing to the hard drive?

Here's the situation that has been happening for months:
1. I'm very used to Veracrypt where there is a setting to have it unmount a
mounted encrypted drive when nothing has been written to it for a given
time period (usually around 30 minutes or so is the default).
2. On _other_ computers, this works just fine to automagically unmount the
encrypted drive after nothing has been written to it for the stated time
period.
3. But on _one_ of my devices, even when I walk away from the computer for
longer than the stated period, most of the time (but not all the time), the
encrypted drive remains mounted. Even overnight, it remains mounted (most
of the time).

Hmmmmmm....

Is something _writing_ to the encrypted drive that I don't know about?
o How would I figure that out?

NOTE: I don't know of anything I would have set up that would do that,
e.g., I don't have keep-alive programs running, nor do I run indexers (at
least not on purpose), nor do I have automagic backups, etc., that I know
about.

Obviously there could be _something_ that I don't know about that is
writing to the drive ... but how would I find that out?

It's not a "big deal" but it's an enigma to me.
o Does a free app exist that can tell you WHAT is writing to the hard drive?
Ads
  #2  
Old January 31st 19, 07:04 PM posted to alt.comp.os.windows-10,alt.comp.freeware
p-0''0-h the cat (coder)
external usenet poster
 
Posts: 114
Default Does a free app exist that can tell you WHAT is writing to the hard drive?

On Thu, 31 Jan 2019 17:41:36 -0000 (UTC), arlen holder
wrote:

Does a free app exist that can tell you WHAT is writing to the hard drive?


https://docs.microsoft.com/en-gb/sys...nloads/procmon

You will need to filter

Sent from my iFurryUnderbelly.

--
p-0.0-h the cat

Internet Terrorist, Mass sock puppeteer, Agent provocateur, Gutter rat,
Devil incarnate, Linux user#666, ******* hacker, Resident evil, Monkey Boy,
Certifiable criminal, Spineless cowardly scum, textbook Psychopath,
the SCOURGE, l33t p00h d3 tr0ll, p00h == lam3r, p00h == tr0ll, troll infâme,
the OVERCAT [The BEARPAIR are dead, and we are its murderers], lowlife troll,
shyster [pending approval by STATE_TERROR], cripple, sociopath, kook,
smug prick, smartarse, arsehole, moron, idiot, imbecile, snittish scumbag,
liar, total ******* retard, shill, pooh-seur, scouringerer, jumped up chav,
punk ass dole whore troll, no nothing innumerate religious maniac,
lycanthropic schizotypal lesbian, the most complete ignoid, joker, and furball.

NewsGroups Numbrer One Terrorist

Honorary SHYSTER and FRAUD awarded for services to Haberdashery.
By Appointment to God Frank-Lin.

Signature integrity check
md5 Checksum: be0b2a8c486d83ce7db9a459b26c4896

I mark any message from »Q« the troll as stinky

  #3  
Old January 31st 19, 07:21 PM posted to alt.comp.os.windows-10,alt.comp.freeware
Paul[_32_]
external usenet poster
 
Posts: 11,873
Default Does a free app exist that can tell you WHAT is writing to thehard drive?

arlen holder wrote:
Does a free app exist that can tell you WHAT is writing to the hard drive?

Here's the situation that has been happening for months:
1. I'm very used to Veracrypt where there is a setting to have it unmount a
mounted encrypted drive when nothing has been written to it for a given
time period (usually around 30 minutes or so is the default).
2. On _other_ computers, this works just fine to automagically unmount the
encrypted drive after nothing has been written to it for the stated time
period.
3. But on _one_ of my devices, even when I walk away from the computer for
longer than the stated period, most of the time (but not all the time), the
encrypted drive remains mounted. Even overnight, it remains mounted (most
of the time).

Hmmmmmm....

Is something _writing_ to the encrypted drive that I don't know about?
o How would I figure that out?

NOTE: I don't know of anything I would have set up that would do that,
e.g., I don't have keep-alive programs running, nor do I run indexers (at
least not on purpose), nor do I have automagic backups, etc., that I know
about.

Obviously there could be _something_ that I don't know about that is
writing to the drive ... but how would I find that out?

It's not a "big deal" but it's an enigma to me.
o Does a free app exist that can tell you WHAT is writing to the hard drive?


You can use Procmon to run an ETW trace. By default it
records everything, then you apply a filter to display just
CreateFile and WriteFile events.

https://docs.microsoft.com/en-us/sys...nloads/procmon

The storage area used to record ETW starts as "RAM" until you
change the configuration. On a small RAM machine, you might initially
be limited by the amount of RAM available for traces.

You can set the trace to be backed by a file system file instead.
This extends the size of the trace.

However, the outside limit for tracing is "200 million events".

I've recorded an entire Macrium Backup operation before, and that
fit within the bounds of a trace. But I can see that for longer
term surveillance, eventually you'll hit the 200 million limit,
rather than a storage limit.

I think my biggest trace file to date, was on the order of 60GB or so.
ProcMon reserves the right to roll over the file, and create multiple
files with the same file name, so it would pay to create a folder
first, then edit the ProcMon settings and put its file inside
the folder. Quit ProcMon, start ProcMon, and now it will be tracing
and using the file.

You can also configure the filter to ignore profiling operations
by ProcMon, as well as ignoring the process itself (so its own
log activities won't be part of the log).

You can save a trace containing only the filtered events.

I think there's a CSV option as well.

The other area of interest, would be the USN journal
on each NTFS partition. It records stuff too, including
date stamps. I've used some utility to look at what is
in there, but don't remember the name of that now. I don't
know if that was a nirsoft, or something else like it.

The USN journal can be erased, so if you thought some
information was missing, that's one way for logging details
to be lost. I'm not really sure how the space on the
USN journal is handled. I don't think the space is charged
to the file system as such, which means the operating
system undoubtedly reserves the right to trim or truncate
or something. I've had a USN journal of size 16GB before,
so they can get rather large (important if doing the
suggestion below).

So if ProcMon simply doesn't have the trace depth, then
you'd have to engineer a way to get the details with the
USN per partition.

https://en.wikipedia.org/wiki/USN_Journal

http://al.howardknight.net/msgid.cgi...nt-email.me%3E

In an Administrator Command Prompt

cd %userprofile%
cd Downloads

fsutil usn readjournal c: out2.txt

...
Usn : 187743704
File name : out2.txt
File name length : 16
Reason : 0x00000100: File create
Time stamp : 8/8/2017 7:28:30

HTH,
Paul
  #4  
Old February 1st 19, 08:39 PM posted to alt.comp.os.windows-10,alt.comp.freeware
arlen holder
external usenet poster
 
Posts: 130
Default Does a free app exist that can tell you WHAT is writing to the hard drive?

No update ... except that I read the responses and will test them out.
Thanks.
  #5  
Old February 2nd 19, 06:14 PM posted to alt.comp.os.windows-10,alt.comp.freeware
arlen holder
external usenet poster
 
Posts: 130
Default Does a free app exist that can tell you WHAT is writing to the hard drive?

On Fri, 1 Feb 2019 14:02:13 -0800, T wrote:

Also, I am not sure sysinternals will tell you "what",
but if so, I learn something new every day!


Hi T,
I need to log just the one exact "thing" that _wrote_ to X: overnight.

I am sort of responding to everyone here who kindly offered advice.
But I have no new news to report as I need to run the tests first.

I think I see this problem differently than most of those who posted.
I think it will be like trying to find a spelling error in a Latin encyclopedia.

But I could easily be wrong.
But I think the answer will be a royal unmitigated bitch to figure out.

Maybe not.
But if the output is a zillion items, then it will be almost impossible.
The output should be _only_ the exact moment when _something_
literally _writes_ to the given removable drive, (X.

If something didn't literally _write_ to X:, then the output should
be nothing. And it has to _know_ this over a period of 24 hours.

This won't work:
1. If the output looks like a latin encyclopedia, or,
2. If the output has to be watched in real time.

Literally, the output should be trivial:
A. What _wrote_ to X: overnight

That's it.
I need to log just the one exact "thing" that _wrote_ to X: overnight.

  #6  
Old February 4th 19, 03:20 AM posted to alt.comp.os.windows-10,alt.comp.freeware
Zaidy036[_5_]
external usenet poster
 
Posts: 427
Default Does a free app exist that can tell you WHAT is writing to thehard drive?

On 1/31/2019 1:21 PM, Paul wrote:
arlen holder wrote:
Does a free app exist that can tell you WHAT is writing to the hard
drive?

Here's the situation that has been happening for months:
1. I'm very used to Veracrypt where there is a setting to have it
unmount a
mounted encrypted drive when nothing has been written to it for a given
time period (usually around 30 minutes or so is the default).
2. On _other_ computers, this works just fine to automagically unmount
the
encrypted drive after nothing has been written to it for the stated time
period.
3. But on _one_ of my devices, even when I walk away from the computer
for
longer than the stated period, most of the time (but not all the
time), the
encrypted drive remains mounted. Even overnight, it remains mounted (most
of the time).

Hmmmmmm....

Is something _writing_ to the encrypted drive that I don't know about?
o How would I figure that out?

NOTE: I don't know of anything I would have set up that would do that,
e.g., I don't have keep-alive programs running, nor do I run indexers (at
least not on purpose), nor do I have automagic backups, etc., that I know
about.

Obviously there could be _something_ that I don't know about that is
writing to the drive ... but how would I find that out?

It's not a "big deal" but it's an enigma to me.
o Does a free app exist that can tell you WHAT is writing to the hard
drive?


You can use Procmon to run an ETW trace. By default it
records everything, then you apply a filter to display just
CreateFile and WriteFile events.

https://docs.microsoft.com/en-us/sys...nloads/procmon

The storage area used to record ETW starts as "RAM" until you
change the configuration. On a small RAM machine, you might initially
be limited by the amount of RAM available for traces.

You can set the trace to be backed by a file system file instead.
This extends the size of the trace.

However, the outside limit for tracing is "200 million events".

I've recorded an entire Macrium Backup operation before, and that
fit within the bounds of a trace. But I can see that for longer
term surveillance, eventually you'll hit the 200 million limit,
rather than a storage limit.

I think my biggest trace file to date, was on the order of 60GB or so.
ProcMon reserves the right to roll over the file, and create multiple
files with the same file name, so it would pay to create a folder
first, then edit the ProcMon settings and put its file inside
the folder. Quit ProcMon, start ProcMon, and now it will be tracing
and using the file.

You can also configure the filter to ignore profiling operations
by ProcMon, as well as ignoring the process itself (so its own
log activities won't be part of the log).

You can save a trace containing only the filtered events.

I think there's a CSV option as well.

The other area of interest, would be the USN journal
on each NTFS partition. It records stuff too, including
date stamps. I've used some utility to look at what is
in there, but don't remember the name of that now. I don't
know if that was a nirsoft, or something else like it.

The USN journal can be erased, so if you thought some
information was missing, that's one way for logging details
to be lost. I'm not really sure how the space on the
USN journal is handled. I don't think the space is charged
to the file system as such, which means the operating
system undoubtedly reserves the right to trim or truncate
or something. I've had a USN journal of size 16GB before,
so they can get rather large (important if doing the
suggestion below).

So if ProcMon simply doesn't have the trace depth, then
you'd have to engineer a way to get the details with the
USN per partition.

https://en.wikipedia.org/wiki/USN_Journal

http://al.howardknight.net/msgid.cgi...nt-email.me%3E


Â*Â* In an Administrator Command Prompt

Â*Â* cd %userprofile%
Â*Â* cd Downloads

Â*Â* fsutil usn readjournal c: out2.txt

Â*Â* ...
Â*Â* UsnÂ*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* : 187743704
Â*Â* File nameÂ*Â*Â*Â*Â*Â*Â*Â* : out2.txt
Â*Â* File name lengthÂ* : 16
Â*Â* ReasonÂ*Â*Â*Â*Â*Â*Â*Â*Â*Â*Â* : 0x00000100: File create
Â*Â* Time stampÂ*Â*Â*Â*Â*Â*Â* : 8/8/2017 7:28:30

HTH,
Â*Â* Paul

If you know the file name(s) you want to monitor a batch file can be
used intermittently to test if a specific file is being held open for
recording on the HD.
CALL full file path NUL
then ERRORLEVEL 1 indicates file is open for recording

--
Zaidy036
  #7  
Old February 4th 19, 05:46 AM posted to alt.comp.os.windows-10,alt.comp.freeware
Paul[_32_]
external usenet poster
 
Posts: 11,873
Default Does a free app exist that can tell you WHAT is writing to thehard drive?

Zaidy036 wrote:
On 1/31/2019 1:21 PM, Paul wrote:
arlen holder wrote:
Does a free app exist that can tell you WHAT is writing to the hard
drive?

Here's the situation that has been happening for months:
1. I'm very used to Veracrypt where there is a setting to have it
unmount a
mounted encrypted drive when nothing has been written to it for a given
time period (usually around 30 minutes or so is the default).
2. On _other_ computers, this works just fine to automagically
unmount the
encrypted drive after nothing has been written to it for the stated time
period.
3. But on _one_ of my devices, even when I walk away from the
computer for
longer than the stated period, most of the time (but not all the
time), the
encrypted drive remains mounted. Even overnight, it remains mounted
(most
of the time).

Hmmmmmm....

Is something _writing_ to the encrypted drive that I don't know about?
o How would I figure that out?

NOTE: I don't know of anything I would have set up that would do that,
e.g., I don't have keep-alive programs running, nor do I run indexers
(at
least not on purpose), nor do I have automagic backups, etc., that I
know
about.

Obviously there could be _something_ that I don't know about that is
writing to the drive ... but how would I find that out?

It's not a "big deal" but it's an enigma to me.
o Does a free app exist that can tell you WHAT is writing to the hard
drive?


You can use Procmon to run an ETW trace. By default it
records everything, then you apply a filter to display just
CreateFile and WriteFile events.

https://docs.microsoft.com/en-us/sys...nloads/procmon

The storage area used to record ETW starts as "RAM" until you
change the configuration. On a small RAM machine, you might initially
be limited by the amount of RAM available for traces.

You can set the trace to be backed by a file system file instead.
This extends the size of the trace.

However, the outside limit for tracing is "200 million events".

I've recorded an entire Macrium Backup operation before, and that
fit within the bounds of a trace. But I can see that for longer
term surveillance, eventually you'll hit the 200 million limit,
rather than a storage limit.

I think my biggest trace file to date, was on the order of 60GB or so.
ProcMon reserves the right to roll over the file, and create multiple
files with the same file name, so it would pay to create a folder
first, then edit the ProcMon settings and put its file inside
the folder. Quit ProcMon, start ProcMon, and now it will be tracing
and using the file.

You can also configure the filter to ignore profiling operations
by ProcMon, as well as ignoring the process itself (so its own
log activities won't be part of the log).

You can save a trace containing only the filtered events.

I think there's a CSV option as well.

The other area of interest, would be the USN journal
on each NTFS partition. It records stuff too, including
date stamps. I've used some utility to look at what is
in there, but don't remember the name of that now. I don't
know if that was a nirsoft, or something else like it.

The USN journal can be erased, so if you thought some
information was missing, that's one way for logging details
to be lost. I'm not really sure how the space on the
USN journal is handled. I don't think the space is charged
to the file system as such, which means the operating
system undoubtedly reserves the right to trim or truncate
or something. I've had a USN journal of size 16GB before,
so they can get rather large (important if doing the
suggestion below).

So if ProcMon simply doesn't have the trace depth, then
you'd have to engineer a way to get the details with the
USN per partition.

https://en.wikipedia.org/wiki/USN_Journal

http://al.howardknight.net/msgid.cgi...nt-email.me%3E


In an Administrator Command Prompt

cd %userprofile%
cd Downloads

fsutil usn readjournal c: out2.txt

...
Usn : 187743704
File name : out2.txt
File name length : 16
Reason : 0x00000100: File create
Time stamp : 8/8/2017 7:28:30

HTH,
Paul

If you know the file name(s) you want to monitor a batch file can be
used intermittently to test if a specific file is being held open for
recording on the HD.
CALL full file path NUL
then ERRORLEVEL 1 indicates file is open for recording


I just noticed something.

1) Set a filter like "CreateFile" and "WriteFile" in ProcMon.
2) In the Filter menu, set the tick box "Drop Filtered Events"
3) Now it only records the events in (1) and no other.
4) Under File, untick the "Capture Events" tick box.
5) Under Edit, select "Clear Display".
6) Under File, tick the "Capture Events" tick box to start another trace.
7) Now the new "Drop Filtered Events" will work,
and you'll have a horizon of 200 million filtered events.

So it is possible to do it with ProcMon.

https://i.postimg.cc/pdp1G0kT/procmon-can-do-it.gif

Paul
 




Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off






All times are GMT +1. The time now is 06:38 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 PCbanter.
The comments are property of their posters.