How find a process which removed/moved a given file in Windows

Question

Suppose I have some files removed (or probably moved or renamed) in a Windows machine. Now I would like to find out what process removes/moves them. How can I do it?

Answer 1

Assuming that you need this in code, the only option is to have a filesystem filter driver intercept the requests and capture the information you need. Our CallbackFilter product lets one do this in user-mode (the driver is included).

Other options (not in code) are enable audit on the files in question and use ProcMon tool (Process Monitor by Sysinternals) to monitor the files.