File Watcher - get the process name that created a file in Windows?

Question

Is there a good way to get the process name that created a file in Windows?

I have a directory on a Windows 2000 Server
C:\WINNT\Temp that is filling up with files named like:
70618199
21834082

They are always 121,201 KB in size.

Programatically can I "capture" the program name or service name that is dropping files in this location?

MORE INFO:
I did some more research on this. I renamed the file TIFF and was able to open it.
This machine functions as a document search tool via a custom written ASP.NET app. The machine contains approx 50,000 TIFF documents on the E:\ drive. This machine also runs SQL Server 2000 w/ Full-Text Indexing turned on. Full-Text Indexing in no way touches the TIFFs - but it shouldn't because this is SQL right? But FTS does require Indexing service be turned on. The weird thing this TIFF seems to be the largest thing served off of the web server. Does IIS or Indexing Service use C:\WINNT\Temp for some kind of caching? Thoughts?

RESOLUTION (Maybe?) This seems to be Microsoft Indexing Service.
When I shut it down, none of these files get created in WINNT\Temp.
It seems to grab the largest file it finds and copies it into WINNT\Temp. This is weird. When you are dealing with a 100MB+ TIFF file, this can cause you to run out of disk space. Very annoying.
Guess I will just shut down the "Web" branch of my Indexing Services.

Answer 1

If you want something similar to fuser for windows, you can check out Process Explorer

It won't let you watch a file, but you can see if any current running processes are accessing that temp directory and creating similar named temp files.

Answer 2

I've used FileMon.exe, but in only works on XP.

Answer 3

Just use standard Win32 api (NAPI).

See Adv. Win32 api ng news://comp.os.ms-windows.programmer.win32 for source code (C)

Answer 4

There's always Process monitor which replaces FileMon which will tell you which process is accessing the files in question.

Answer 5

The only way I've found to do this from .NET programatically is to run Sysinternal's Command-line Handle App and pass the file name in and read the console output to try to catch the source application with an open handle to the file.

Otherwise the utilities others have mentioned would do fine.

Answer 6

You could always set that directory to read-only and see what throws up. Although if it's a document server you might not want to do that.

MSN

Answer 7

\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\service.exe

This is a Recycler Virus. It created a hidden folder called "Recycler" In all disk partitions and i was not able to delete them from windows Safe Mode. Norton, AVG Kaspersky failed to detect it or delete it.

I turn off system restore, rebooted the PC using a Boot disk went to command prompt and deleted "Recycler" folder from all drives. using command rmdir/s c:\recycler

This is the only thing that worked for me on Windows XP.

--KD