4

I'm currently using procmon to chase down a problem I'm having involving network files. Another PC on the local network writes small "command" files to the target machine, which then consumes them - i.e. they are read, actioned and deleted.

There is also another file that is updated once per second by the target machine and read by the other network machines.

After running for some time, the network machines lose access to the file they are reading from the target machine. The file becomes permanently locked - the master machine can't update it any longer (sharing violation). The problem appears to be related to MsMpEng.exe (Microsoft Security Essentials) trying to grab a command file when it first appears, but I want to relate what is happening to the incoming requests. Procmon doesn't seem to show these.

Can ProcMon be configured to catch accesses to the local file system from network machines? Is it tied up with the mysterious block of excludes that are added to new filters by default?

rossmcm
  • 1,656

1 Answers1

5

from Windows Internals

By default, Procmon starts in basic mode and omits certain file system operations from being displayed including

  • I/O to NTFS metadata files
  • I/O to the paging file
  • I/O generated by the System process
  • I/O generated by the Process Monitor Process.

To catch incoming file access from the network, you need to view the I/O generated by the System process. To be able to view that, switch Procmon to Advanced Mode by using the menu Filter -> Enable Advanced Output.

Community
  • 1
Lieven Keersmaekers
  • 1,615