There is a thing that has been bugging me. Actually, there is a virus in my computer. Well I tried everything to get rid of it but it seems there is a parent process creating and modifying new files and registry entries every time I try to delete the keys or the files.

So all I wanted to ask was How to monitor the windows so that I may be informed about which process is trying to create a new process or new file via C++. I mean which API or whatever..???

I already understand that there is gonna be hell of a difficult job but I want to know anyways. So please let the suggestions flow on. And thanks in advance :D

Look for the Windows SDK sample called ChangeNotifyWatcher. It uses the API SHChangeNotifyRegister() to get file system change notifications.

If there is a "parent" program watching for when you close the application it's probably running as a service. If you end up wanting to do this somewhere between the hard way and "WTF did I get myself into?!!!!" then pull up a command line, type

sc query > services.txt

then press enter, when it finishes type

services.txt

then enter, press Ctrl+F at the notepad or what ever and search for the name of the undesired application. This will generally (but not always) lead you to the service that is hosting it.

There's also SysInternals, which I recomend for any Windows user for a hundred reasons: http://technet.microsoft.com/en-us/sysinternals/default

Have you tried installing anti-virus software?

These days you cannot manually remove them, they're way too evolved.

@ kbw: I have to respectfully disagree with you there. The last virus I couldn't remove wasn't "too advanced"; it had corrupted the boot loader. I agree that the OP is going about this in a very painful manner, but I actually did the same kind of thing when I was younger. It's how I believe I learned the most about Windows.

@webjose: Sorry, I've got Win XP. It says Win Vista minm.
@ComputerGeek01 I'm on it.

Also I'm not quite getting what I wanted (you tried webJose). I just want to know which App is creating which file and which app is creating new process.. And I WANT TO PROGRAM IT MYSELF..
Thanks in advance

FindFirstChangeNotification(). Read more @ http://msdn.microsoft.com/en-us/library/aa364417(VS.85).aspx .

Sorry, already tried it. It does notify of new changes in FileSystem but doesn't report which process caused it.

The problem with your request is that Windows doesn't actually record what applications made what changes to a file, it doesn't actually care since permission\authentication is done by security token not by a list of allowed process (This changes in a few VERY specific instances with certain critical files but not until Windows Vista). So you have to do some creative programming, I don't see it yet because I just learned of the function myself but I think webJose gave you a good starting point.

There is a Microsoft library called Detours that can re-route Windows API calls. If you can re-route CreateFile() for example, you could log the calling process.

The library can be freely downloaded up to version 2.1 (http://research.microsoft.com/en-us/projects/detours/).

Thanks!!

Hi
System has it self tool for watching what files are created accessed just like a log file for this thing... now I DO NOT remember what its name but is there :-) I was using it a bit my self... Just to give you a tip...