Jump to content

Monitoring for open files and process list in a Network

rudi
 Share

Recommended Posts

rudi Universalist

rudi

Posted
Posted (edited)

Hi.

 

Before I'm going to reinvent the wheel, any suggestions for solutions to monitor, coming from what PC massive file opens to a windows server box are done and what process is doing so?

 

As no files are modified (ransomware) I suspect, that some harmless, just buggy software is doing these file opens, that are showing up only time by time (every now and then on an irregular basis, maybe not for a week or even longer).

 

 

For some other task I've found NetShare.au3, with the use of it's function _Net_Share_FileEnum($_Srv) I'm able to get for another station in the LAN a list of opened files. Here I would need to get the list of opened files on *THIS* station (the server), perfectly would be to see the WinClient the remote file open came from and marvelous it would be to get the process on that WinClient doing the fileopen()...

 

 

Any suggestions appreciated, Rudi.Insert other media

Edited by rudi

Earth is flat, pigs can fly, and Nuclear Power is SAFE!

jdelaney Universalist

jdelaney

Posted
Posted (edited)

https://www.watchingthenet.com/view-connections-to-windows-folder-shares.html

Go down to: Who's On My Computer?

There are all kinds of net * function command lines, but you need to run them all relative the server, or execute the script on the server via something like paexec.

 

Specfically: Net File...very helpful when you are doing deployments to kill locks (you can also temporarily bring down shares)

file Net file is used to show a list of open files on a server. The command can also be used to close a shared file and remove a file lock.
Edited by jdelaney
IEbyXPATH-Grab IE DOM objects by XPATH IEscriptRecord-Makings of an IE script recorder ExcelFromXML-Create Excel docs without excel installed GetAllWindowControls-Output all control data on a given window.
rudi Universalist

rudi

Posted
  • Author
Posted (edited)

Thans for your reply,

 

the net file stuff I wasn't aware of, great! This command is the key to get the stations doing massive file opens.

 

Next step will be to grab the process on the PC doing that nonsense.

 

<cite>

Go down to: Who's On My Computer?

There are all kinds of net * function command lines, but you need to run them all relative the server,

</cite>

I cannot see "several net * function command lines? (examles) ?

 

 

the powershell command get-smbopenfile ist pretty close to what I'm looking for.

cu, rudi

Edited by rudi

Earth is flat, pigs can fly, and Nuclear Power is SAFE!

  • 2 weeks later...
rudi Universalist

rudi

Posted
  • Author
Posted

Hello,

 

meanwhile I solved it using PowerShell for the first step. The final processing is done with AutoIT

  

$OpenFiles=Get-SmbOpenFile

$hash=@{}
$OpenFiles |%{$hash[$_.clientcomputername + " - " + $_.clientusername]++} 

$hash

$Clone=$hash.clone()

$OFLimit=100

foreach ($F in $Clone.getenumerator()) {
	if ([decimal]$F.value -le $OFLimit) {$hash.remove($F.key)}
}

$hash
$path="C:\temp\ManyOpenFiles"
if (!(test-path $path)) {New-Item -ItemType Directory -Force -Path $path}

$Max=$($Clone.values | measure -maximum).maximum
Write-Host "Maximum = $max"

if ($hash.count -ge 1) {
	Write-Host $FN
	$FN=$path + "\" + $(Get-Date -Format yyyy-MM-dd_HH-mm-ss) + "_Max=" + $Max +".TXT"
} else {
	$FN=$path + "\" + $(Get-Date -Format yyyy-MM-dd_HH-mm-ss) + "_Keiner_oberhalb_" + $OFLimit + "_Max=" + $Max + ".TXT"
}

$clone.getenumerator() | sort value -desc| ft -auto | Out-File $FN -NoClobber 
write-host " - - - - - - - - - - - - - - - - - - - - - -"
write-host $FN
start $FN

Suggestions to do it all in Autoit are mostly appreciated.

 

 

Regards, Rudi.

Earth is flat, pigs can fly, and Nuclear Power is SAFE!

Nine Universalist

Nine

Posted
Posted

I believe you could launch OpenFiles from an autoit script, grab the information in the csv format thru a file or directly using StdoutRead.  Never tested it but seems doable to me...

“They did not know it was impossible, so they did it” ― Mark Twain

  Reveal hidden contents

 

Nine Universalist

Nine

Posted
Posted (edited)

I couldn't help trying it.  StdoutRead works very well. It takes about half a sec to get the info. After that you only need to translate it into an 2D array and you are gone !

Also look at win32_process.   There is a lot of very interesting data coming from this class.  

Edited by Nine

“They did not know it was impossible, so they did it” ― Mark Twain

  Reveal hidden contents

 

rudi Universalist

rudi

Posted
  • Author
Posted
  On 4/17/2019 at 10:14 PM, Nine said:

I couldn't help trying it.  StdoutRead works very well.

Expand  

@Nine that's about the way I'm doing it right now. (I use a spool file inbetween instead of grabbing the output directly)

I've been wondering if native Autoit Functions can get hold of the sam information *WITHOUT* using PS.

 

Thanks for pointing out win32_process. I'll take a closer look to that one, too.

 

Rudi.

Earth is flat, pigs can fly, and Nuclear Power is SAFE!

rudi Universalist

rudi

Posted
  • Author
Posted
  On 4/17/2019 at 8:45 PM, AdamUL said:

For _Net_Share_FileEnum to work correctly on the local machine, you need to add #RequireAdmin to the top of your script.  

 

Adam

 

Expand  

#RequireAdmin: Thanks, I'll give it a try.

 

Rudi.

Earth is flat, pigs can fly, and Nuclear Power is SAFE!

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...