See exactly which files each program accesses

You can easily observe that a program is performing I/O disk operations using a process monitor. Is there an easy way to observe exactly what files are being read/written to by each process?

Windows/Linux solutions welcome!


I like OpenedFilesView because I am old. Also check out Process Explorer and Resource Monitor (resmon).

Use Windows-R to open the run box. Type resmon and hit the Enter-key.

On *nix I'd use lsof.


On Windows, you would use an app literally called Process Monitor, or ProcMon for short. It captures all file and registry access – not just "current" state, but each individual operation.

This type of tool is particularly useful as many files are opened-read-closed quickly, not held open for long durations.


The rough Linux equivalent of ProcMon is strace. To see all file-related system calls:

strace -e file /bin/chmod a+w test.txt

Other similar tools are perf trace and ltrace. BSDs have ktruss, I think.

Highly flexible system tracing can be done through bpftrace and SystemTap stap (both of which are similar to Solaris' dtrace). They take a while to learn, though. Related.

The Linux audit subsystem, with auditctl, can be used to track operations on specific files no matter which process they're done by. For example, you can see what's accessing your ~/.ssh/id_rsa private key.

(Similarly, LSMs such as AppArmor can be run in "complain" or "permissive" mode where they only log operations that would be denied, but don't actually deny them.)

The fanotify subsystem can be used to get a system-wide firehose feed of all files that are being accessed, e.g. using the fatrace tool. (It's similar to inotify, which is per-directory; inotifywait -rmq ~/foo would monitor that directory recursively.)