ReadDirectoryChangesW and determining which process caused the change

How can I determine which processes are making changes to which files.

I did find 开发者_如何学JAVAthis:

FileSystemWatcher: how to know which process made the change?

But I'm curious if anything has changed lately? Is it possible yet to determine which process is making changes to the file system, either using ReadDirectoryChangesW or anything else? I'd prefer not to have to write or use a kernel driver.

---

Create a security audit on the files you want to track. The information will be recorded in the security event log.

---

While it may be possible to find out the process that changes a file using kernel drivers (for example, process monitor), there will always be a problem identifying the process in case the folder is shared on the network, and a process on another computer modifies the file over the network. Even the kernel drivers would in this case identify the network share process as the one accessing the file, not the process on the other computer.

---

I can't seem to comment yet. I would be interested in your Python code that creates a security audit on files or paths. It's a bit of a shame if it messes with the system security event log, but you can't have everything! :-)

Up until this point, I have been using GetForegroundWindow at the time of the change to eventually get the associated process. It only works well for changes initiated by the user, but that is primarily what I've been interested in. Besides background processes, the only minor issue is that sometimes a process is spawned just to accomplish a task (like a batch file) and it is non-existent by the time you want to learn more about it (like what process spawned it). I imagine that is a problem even with a security audit, though.