Find which files are read or written to

command-line files process

I want to see which files are read or written to.

Is there any program or a command for that? I can remember I used this method to hunt down viruses and malware hiding locations when I used windows a few years back.


That program is lsof ("List open files").

  • If you just open a Terminal and type lsof, you get a huge list of all open files, instead, limit it to one command by doing:

     lsof -c gnome-terminal

  • You can also restrict your search to a specific directory by typing

     lsof -c gnome-terminal -a +D /tmp

  • Or list all open files in one specific directory, including what application has opened it:

     lsof /dev/urandom

Remember that some processes are started by the superuser root, you may need to put sudo in front of your command to get more information about such processes' open files.

To narrow down your search, you can grep specific lines, i.e.:

lsof /dev/urandom | grep chrome

  • The FD (File Descriptor) column of the output gives you information about the purpose of the program opening the file (not necessarily what's happening to it at the moment):

    • r means the file is opened for reading

    • w means the file is opened for writing

    • u means the file is opened for both reading and writing

For more details, consult the manual page (man lsof). Also, if you need to look up any of the files and directories, the Linux Filesystem Hierarchy Standard is very helpful.


As a complete over-kill option, but one that works in real-time, you can use inotify:

sudo inotifywait -m -r /

Note that this will consume a great deal of memory, and take a long time to set up. As the manpage says:

   -r, --recursive
          Watch all subdirectories of any directories passed as arguments.
          Watches  will be set up recursively to an unlimited depth.  Sym‐
          bolic links are not  traversed.   Newly  created  subdirectories
          will also be watched.

          Warning:  If  you use this option while watching the root direc‐
          tory of a large tree, it may take quite a while until  all  ino‐
          tify watches are established, and events will not be received in
          this time.  Also, since one inotify watch  will  be  established
          per subdirectory, it is possible that the maximum amount of ino‐
          tify watches per user will be reached.  The default  maximum  is
          8192;  it  can  be  increased  by  writing  to /proc/sys/fs/ino‐
          tify/max_user_watches.

This also doesn't tell you what process is messing with files, but it may help identify changes as they happen. Using "-e open" may help reduce some of the noise on a really busy system.

Related

Manually Created .deb, how do I upload to a PPA?
How do I switch off "continuous" mode permanently in Evince?
How to automount my Windows partition at boot?
After installing nginx with Passenger support in '/opt', why won't it start from 'init.d'?
umount: it seems [device] is mounted multiple times
How can I get an interactive shell as another non-root user?
How to find which "package can be updated"?
Updating http_proxy environment variable
Bad sound on headphones if I don't press mic button
Convert a video to a fixed screen size by cropping and resizing
What is this mono process running at startup?
How to uninstall Amazon app in 17.10, 18.04?