how to find out what created a file?

I have some virus files being randomly created on root of a c: disk of one of my servers. How can I find out what created it? Some 3rd party software maybe?

Solution 1:

Have a look at the "Owner" tab under the "Advanced" properties of the "Security" properties page of the file's properties sheet. Odds are good, though, that you're going to see "Administrators" as the owner (which won't be too helpful).

The auditing functionality in Windows can help with this kind of thing, but it generates such large volumes of seemingly useless data that it's, practically speaking, not worth it.

Solution 2:

Let's assume for a second that what ever is creating these files isn't malicious:

• You can look at the owner to see what user created the files
• Then use something like Sysinternals Process Explorer to view the processes that are running under that user (Right Click the columns and check "User Name" on the "Process Image" tab
• Then look at the handles that each of these processes has (Goto View Menu, Check "Show Low Pane, Change "Lower Pane View" to "Handles"), one of them may have a handle open to the weird files you're seeing

However, if whatever is creating these files is malicious it will take steps to thwart you. (File hiding, process hiding, obfuscation, etc.)

You can use some of the utilities here to check for rootkits: A list of Windows rootkit detection and removal tools

But if it the server has been owned, you know it's been owned, and you don't know how they got in: It's time to start rebuilding it and activating any incident response plan you may have.