Author: sahnav
Subject: File Access Monitor
Posted: 11 April 2014 at 1:56am
Dear Sir/Madam,
Subject: File Access Monitor
Posted: 11 April 2014 at 1:56am
Dear Sir/Madam,
I need to configure the process monitor to track the no of access to a particular file. (E.g. C:\Users\00000000\Desktop\Procedure.pdf).
The output must be presented as :
User Date Time
User1 2014/04/01 08.47 AM
User2 2014/04/02 10.47 AM
Based on the process monitor capture below, i realised this line is unique when i open the file.
Ii need this info to be put into the filter. But how do i fill up the filter with info below?
19:49.9 AcroRd32.exe 2120 Process Start SUCCESS "Parent PID: 772, Command line: ""C:\Program Files\Adobe\Reader 11.0\Reader\AcroRd32.exe"" --channel=772.1.283187733 --type=renderer ""C:\Users\00000000\Desktop\Procedure.pdf"", Current directory: C:\Users\00000000\Desktop\, Environment:
; =::=::\
; ALLUSERSPROFILE=C:\ProgramData
; APPDATA=C:\Users\00000000\AppData\Roaming
; CommonProgramFiles=C:\Program Files\Common Files
; COMPUTERNAME=L110600028A
; ComSpec=C:\Windows\system32\cmd.exe
; configsetroot=C:\Windows\ConfigSetRoot
; DEFLOGDIR=C:\ProgramData\McAfee\DesktopProtection
; FP_NO_HOST_CHECK=NO
; HOMEDRIVE=C:
; HOMEPATH=\Users\00000000
; LOCALAPPDATA=C:\Users\00000000\AppData\Local
; LOGONSERVER=\\MBBADDCPROD05
; NUMBER_OF_PROCESSORS=4
; OS=Windows_NT
; Path=C:\Program Files\Adobe\Reader 11.0\Reader\;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Lotus\Notes;C:\Program Files\Common Files\M-Tech;C:\Program Files\Windows Imaging\;C:\Program Files\IBM\Personal Communications\;C:\Program Files\IBM\Trace Facility\;C:\Program Files\SSH Communications Security\SSH Tectia\SSH Tectia AUX;C:\Program Files\SSH Communications Security\SSH Tectia\SSH Tectia AUX/Support binaries;C:\Program Files\SSH Communications Security\SSH Tectia\SSH Tectia Broker;C:\Program Files\SSH Communications Security\SSH Tectia\SSH Tectia Client
; PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
; PCOMM_Root=C:\Program Files\IBM\Personal Communications\
; PROCESSOR_ARCHITECTURE=x86
; PROCESSOR_IDENTIFIER=x86 Family 6 Model 37 Stepping 5, GenuineIntel
; PROCESSOR_LEVEL=6
; PROCESSOR_REVISION=2505
; ProgramData=C:\ProgramData
; ProgramFiles=C:\Program Files
; PSModulePath=C:\Windows\system32\WindowsPowerShell\v1.0\Modules\
; PUBLIC=C:\Users\Public
; SESSIONNAME=Console
; SystemDrive=C:
; SystemRoot=C:\Windows
; TEMP=C:\Users\00000000\AppData\Local\Temp\acrord32_sbx
; TMP=C:\Users\00000000\AppData\Local\Temp\acrord32_sbx
; UATDATA=C:\Windows\system32\CCM\UATData\D9F8C395-CAB8-491d-B8AC-179A1FE1BE77
; USERDNSDOMAIN=MAYBANK-MY.MBB.DIR
; USERDOMAIN=MAYBANK-MY
; USERNAME=00000000
; USERPROFILE=C:\Users\00000000
; VSEDEFLOGDIR=C:\ProgramData\McAfee\DesktopProtection
; windir=C:\Windows"