Running Application Audit
-
I have a mystery application running on a Windows 2000 Pro server. I know it is getting data from a remote source somewhere and putting it somewhere local. I also know it is critical, can not be stopped, or data will be lost. I am looking for minimal impact ways of seeing what this process is doing, where it is connecting, etc. I would like to install Wireshark on the system and just watch the network traffic, but that may be a little too intrusive. Working in a live manufacturing environment, so downtime is a no no. Any ideas?
-
@s.hackleman said in Running Application Audit:
I have a mystery application running on a Windows 2000 Pro server. I know it is getting data from a remote source somewhere and putting it somewhere local. I also know it is critical, can not be stopped, or data will be lost. I am looking for minimal impact ways of seeing what this process is doing, where it is connecting, etc. I would like to install Wireshark on the system and just watch the network traffic, but that may be a little too intrusive. Working in a live manufacturing environment, so downtime is a no no. Any ideas?
IIRC even the older versions of Wireshark / Ethereal do not require a reboot when installing the WinPCAP drivers.
Perhaps using something like Process Monitor from Sysinternals would help?
Link to older copy of Procmon for Server 2000-ish... http://web.archive.org/web/20100201154222/http://download.sysinternals.com/Files/ProcessMonitor.zip
Edit: It may require Windows 2000 SP4.
-
If the system has files being written you could use something like jDiskReport and see where the file are being written.
It's not a live report, but you could compare reports after running it a few times and see if you can find where the files are getting written to.
-
@dafyre This did it, the old version of Procmon was perfect.
