Tags:




Advertise here: Contact FM.


What created that file?
February 9, 2006 11:46 AM   RSS feed for this thread Subscribe

How can I track the source of a file?

I have a user who is reporting that something is creating a file in an area that it shouldn't. This folder resides on a Windows server and he is running Windows XP (or 2000, but I'm pretty sure it's XP). He is seeing a file created periodically but has no idea where it's coming from and is concerned that security might have been compromised.

The file is named "clientid.txt" and contains the string, "3145204-218057". The folder it's being created in can only be accessed by him and Domain Admins. The file shows that it was created by this user.

I am thinking that some job or some process is running on his PC that is creating this file, but when I checked he had no jobs running. Maybe a rogue process, but I can't find it. Is there a way to find out what caused a file to be created? If not on an existing file, maybe there's a way to catch a process when it writes a file to a folder?

Again, if I wasn't clear, this is a Windows OS accessing a file share on a Windows network. No Linux servers can access the folder where this is being written. I'd appreciate any help greatly.
posted by bDiddy to computers & internet (3 comments total)
Instaling FileMon should do the trick.
posted by empath at 11:53 AM on February 9, 2006


Googling "clientid.txt" leads to something called T-Serve—is your company using that?
posted by staggernation at 11:54 AM on February 9, 2006


I found T-Serve looking through Google. Also, some Asian (Chinese?) characters referencing some Linux sites. We don't use T-Serve, unfortunately. I am going to try setting up Filemon and see what I can find.
posted by bDiddy at 12:27 PM on February 9, 2006


« Older I need a free program to conve...   |   Please recommend a good Pilate... Newer »
This thread is closed to new comments.