Jump to content
rudi

Monitoring for open files and process list in a Network

Recommended Posts

Posted (edited)

Hi.

 

Before I'm going to reinvent the wheel, any suggestions for solutions to monitor, coming from what PC massive file opens to a windows server box are done and what process is doing so?

 

As no files are modified (ransomware) I suspect, that some harmless, just buggy software is doing these file opens, that are showing up only time by time (every now and then on an irregular basis, maybe not for a week or even longer).

 

 

For some other task I've found NetShare.au3, with the use of it's function _Net_Share_FileEnum($_Srv) I'm able to get for another station in the LAN a list of opened files. Here I would need to get the list of opened files on *THIS* station (the server), perfectly would be to see the WinClient the remote file open came from and marvelous it would be to get the process on that WinClient doing the fileopen()...

 

 

Any suggestions appreciated, Rudi.Insert other media

Edited by rudi

Earth is flat, pigs can fly, and Nuclear Power is SAFE!

Share this post


Link to post
Share on other sites
Posted (edited)

https://www.watchingthenet.com/view-connections-to-windows-folder-shares.html

Go down to: Who's On My Computer?

There are all kinds of net * function command lines, but you need to run them all relative the server, or execute the script on the server via something like paexec.

 

Specfically: Net File...very helpful when you are doing deployments to kill locks (you can also temporarily bring down shares)

file Net file is used to show a list of open files on a server. The command can also be used to close a shared file and remove a file lock.
Edited by jdelaney

IEbyXPATH-Grab IE DOM objects by XPATH IEscriptRecord-Makings of an IE script recorder ExcelFromXML-Create Excel docs without excel installed GetAllWindowControls-Output all control data on a given window.

Share this post


Link to post
Share on other sites
Posted (edited)

Thans for your reply,

 

the net file stuff I wasn't aware of, great! This command is the key to get the stations doing massive file opens.

 

Next step will be to grab the process on the PC doing that nonsense.

 

<cite>

Go down to: Who's On My Computer?

There are all kinds of net * function command lines, but you need to run them all relative the server,

</cite>

I cannot see "several net * function command lines? (examles) ?

 

 

the powershell command get-smbopenfile ist pretty close to what I'm looking for.

cu, rudi

Edited by rudi

Earth is flat, pigs can fly, and Nuclear Power is SAFE!

Share this post


Link to post
Share on other sites

Hello,

 

meanwhile I solved it using PowerShell for the first step. The final processing is done with AutoIT

 

$OpenFiles=Get-SmbOpenFile

$hash=@{}
$OpenFiles |%{$hash[$_.clientcomputername + " - " + $_.clientusername]++} 

$hash

$Clone=$hash.clone()

$OFLimit=100

foreach ($F in $Clone.getenumerator()) {
	if ([decimal]$F.value -le $OFLimit) {$hash.remove($F.key)}
}

$hash
$path="C:\temp\ManyOpenFiles"
if (!(test-path $path)) {New-Item -ItemType Directory -Force -Path $path}

$Max=$($Clone.values | measure -maximum).maximum
Write-Host "Maximum = $max"

if ($hash.count -ge 1) {
	Write-Host $FN
	$FN=$path + "\" + $(Get-Date -Format yyyy-MM-dd_HH-mm-ss) + "_Max=" + $Max +".TXT"
} else {
	$FN=$path + "\" + $(Get-Date -Format yyyy-MM-dd_HH-mm-ss) + "_Keiner_oberhalb_" + $OFLimit + "_Max=" + $Max + ".TXT"
}

$clone.getenumerator() | sort value -desc| ft -auto | Out-File $FN -NoClobber 
write-host " - - - - - - - - - - - - - - - - - - - - - -"
write-host $FN
start $FN

Suggestions to do it all in Autoit are mostly appreciated.

 

 

Regards, Rudi.


Earth is flat, pigs can fly, and Nuclear Power is SAFE!

Share this post


Link to post
Share on other sites

For _Net_Share_FileEnum to work correctly on the local machine, you need to add #RequireAdmin to the top of your script.  

 

Adam

 

Share this post


Link to post
Share on other sites
Posted (edited)

I couldn't help trying it.  StdoutRead works very well. It takes about half a sec to get the info. After that you only need to translate it into an 2D array and you are gone !

Also look at win32_process.   There is a lot of very interesting data coming from this class.  

Edited by Nine

Share this post


Link to post
Share on other sites
On 4/17/2019 at 11:14 PM, Nine said:

I couldn't help trying it.  StdoutRead works very well.

@Nine that's about the way I'm doing it right now. (I use a spool file inbetween instead of grabbing the output directly)

I've been wondering if native Autoit Functions can get hold of the sam information *WITHOUT* using PS.

 

Thanks for pointing out win32_process. I'll take a closer look to that one, too.

 

Rudi.


Earth is flat, pigs can fly, and Nuclear Power is SAFE!

Share this post


Link to post
Share on other sites
On 4/17/2019 at 9:45 PM, AdamUL said:

For _Net_Share_FileEnum to work correctly on the local machine, you need to add #RequireAdmin to the top of your script.  

 

Adam

 

#RequireAdmin: Thanks, I'll give it a try.

 

Rudi.


Earth is flat, pigs can fly, and Nuclear Power is SAFE!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...