Review all Open Files Accessed by Processes in Memoryhttp://www.windowsscope.com/wp-content/uploads/2016/07/ofblog1-1024x785.jpg 1024 785 WindowsSCOPE WindowsSCOPE http://www.windowsscope.com/wp-content/uploads/2016/07/ofblog1-1024x785.jpg
‘Process’ is the process that is using a selected entry, ‘File Name’ is the file or folder being used, and ‘Access Rights’ is what permissions the process has. One thing to note is that the starting directory is assumed to be the main drive on the computer, typically ‘Local Disk (C:)’. From the example snapshot, the process svchost.exe in the directory C:WindowsSystem32 is using permissions FILE_WRITE_EA. There are several permissions in Windows. FILE_WRITE_EA permits writing to a file and implies permission for also reading the file. FILE_READ_DATA just gives permission for reading the file. FILE_EXECUTE allows for the file to be run or executed. These are the most common (but not all) permissions seen in WindowsSCOPE.
Some of the entries in ‘File Name’ might have weird looking names. Microsoft likes to encode data in the name of a lot of its hidden files and folders. Sometimes this is a time stamp or a version number. One specific thing that is often encoded is a GUID, which stands for Globally Unique Identifier. A GUID is a 128-bit hexadecimal string (or 32 hex values). The hex values are arranged in 8-4-4-4-12 format. A GUID is useful for creating something that, for all intensive purposes, will be completely unique since the possible combination is so large. An example of an entry encoded with a GUID can be seen below.
A ‘File Name’ entry might also show up as saying “Endpoint”. This means that the entry is a handle for a socket, which is really just an extension of a file handle. A file handle is simply a pointer to the file being accessed. They are used because it is much faster to call the handle than the entire file.
To see how WindowsSCOPE keeps track of all open files, create a new document with a document editor (besides Notepad) and save it to the Desktop. The reason that a program such as Notepad cannot be used is that it doesn’t necessarily have the file it is editing open the entire time. In most editors, if you try to delete or alter the file being worked on, Windows will throw an error saying that the file is currently in use. This is not the case for Notepad because it only touches the file when needed, meaning that it will not show up as an Open File in WindowsSCOPE.
After saving and with the document still open, take a snapshot in WindowsSCOPE. Once complete, go to Memory View → Summary of System Activity → Open Files. Search for the process name of the document editor used and then find the name of the file, or just search using the find feature (Ctrl+F) for the file name.