document updated 15 years ago, on May 6, 2008
To list all files created:
- run procmon
- Tools > File summary, sort by number of writes
- BUT, this doesn't include files that have been created with zero length, or directories created. So, you have to:
- find all files/dirs that have had their time/date changed back (filter on Operation=SetBasicInformationFile/SetAllInformationFile/SetDispositionInformationFile)
- use the list of ALL files touched, check their mod-time, and include any that have been modified recently
(it should be possible to write a program that reads a .PML file (format here), and does all the filtering/on-disk checks?)