FileActivityWatch is a free, lightweight, and portable utility developed by NirSoft that displays all read, write, and delete operations made by applications running on your Windows system. Unlike built-in tools that only show currently locked files, FileActivityWatch logs system-wide file modifications in real-time, matching each operation to the responsible process name and ID. How to Use FileActivityWatch to Monitor File Modifications
To track down which application is editing, creating, or deleting your files, follow these steps:
Download and Run the Tool:Download the utility directly from the official NirSoft FileActivityWatch page. Because it is portable, you do not need to install it; simply extract the ZIP file and run FileActivityWatch.exe as an Administrator to grant it permission to capture global system events.
Configure Your Event Captures:As soon as it launches, the tool begins logging all global file movements. If you are only interested in specific actions (such as file modifications), go to the Options menu on the top toolbar and check or uncheck your preferred filters:
Capture Write Events: Keep this enabled to see file edits, updates, and creations.
Capture Delete Events: Keep this enabled if files are vanishing and you need to find out why.
Capture Read Events: Uncheck this if the log is moving too quickly, as apps read thousands of system files per minute.
Enable Color Coding for Easy Scanning:Navigate to Options and click Mark Files With Active Read/Write. This highlights active file rows in real-time using specific colors:
🟨 Yellow: Active Write operation (the file is being modified or created).
🟦 Blue: Active Delete operation (the file was just deleted). 🟩 Green: Active Read operation.
Identify the Culprit Process:Once you notice your target file pop up in the log, look across its row to find the following key columns: Filename: The full path of the file being touched.
Process Name: The exact executable (e.g., notepad.exe, malware.exe) responsible.
Process ID (PID): The unique system ID number assigned to that running application.
Process Path: The directory folder where that specific executable lives, which helps verify if it is a legitimate program or a hidden virus.
Write Count: How many times that specific application has modified the file since logging started.
Filter and Search the Log:If the display is overwhelming, press Ctrl + F to open the search bar and type a portion of your file’s name. You can also hit Ctrl + X at any point to wipe the current list clean and start fresh, making it easier to catch a modification that you trigger manually right after.
If you would like to dig deeper, tell me if you are trying to catch a suspected malware file, or if you need help stopping/killing the process once FileActivityWatch identifies it.
Leave a Reply