"Time of Day","Process Name","PID","Operation","Path","Result","Detail" ... 8.out.exe process is executing. It is reading its own image out of 8.out.exe file: "8:07:40.6792445 PM","8.out.exe","5716","ReadFile","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","Offset: 747,520, Length: 8,192, I/O Flags: Non-cached, Paging I/O, Priority: Normal" "8:07:40.6792532 PM","8.out.exe","5716","ReadFile","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","Offset: 956,928, Length: 1,536, I/O Flags: Non-cached, Paging I/O, Priority: Normal" "8:07:40.6792624 PM","8.out.exe","5716","ReadFile","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","Offset: 968,192, Length: 1,024, I/O Flags: Non-cached, Paging I/O, Priority: Normal" "8:07:40.6853374 PM","8.out.exe","5716","CloseFile","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","" Now svchost.exe (Windows) opens 8.out.exe file. I don't know why, maybe to index its contents, maybe to check for viruses. I don't know: "8:07:40.6974205 PM","svchost.exe","4520","CreateFile","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: No Buffering, Synchronous IO Non-Alert, Open For Backup, Open No Recall, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened" "8:07:40.6974443 PM","svchost.exe","4520","QueryInformationVolume","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","VolumeCreationTime: 2/13/2009 8:55:04 AM, VolumeSerialNumber: 74F2-6BDE, SupportsObjects: True, VolumeLabel: " "8:07:40.6974517 PM","svchost.exe","4520","QueryAllInformationFile","C:\MinGW\go\doc\progs\8.out.exe","BUFFER OVERFLOW","CreationTime: 7/6/2011 8:07:40 PM, LastAccessTime: 7/6/2011 8:07:40 PM, LastWriteTime: 7/6/2011 8:07:40 PM, ChangeTime: 7/6/2011 8:07:40 PM, FileAttributes: A, AllocationSize: 970,752, EndOfFile: 969,728, NumberOfLinks: 1, DeletePending: False, Directory: False, IndexNumber: 0x2500000003ed60, EaSize: 0, Access: Read Attributes, Synchronize, Position: 0, Mode: No Buffering, Synchronous IO Non-Alert, AlignmentRequirement: Word" "8:07:40.6974590 PM","svchost.exe","4520","QueryInformationVolume","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","VolumeCreationTime: 2/13/2009 8:55:04 AM, VolumeSerialNumber: 74F2-6BDE, SupportsObjects: True, VolumeLabel: " "8:07:40.6974641 PM","svchost.exe","4520","QueryAllInformationFile","C:\MinGW\go\doc\progs\8.out.exe","BUFFER OVERFLOW","CreationTime: 7/6/2011 8:07:40 PM, LastAccessTime: 7/6/2011 8:07:40 PM, LastWriteTime: 7/6/2011 8:07:40 PM, ChangeTime: 7/6/2011 8:07:40 PM, FileAttributes: A, AllocationSize: 970,752, EndOfFile: 969,728, NumberOfLinks: 1, DeletePending: False, Directory: False, IndexNumber: 0x2500000003ed60, EaSize: 0, Access: Read Attributes, Synchronize, Position: 0, Mode: No Buffering, Synchronous IO Non-Alert, AlignmentRequirement: Word" "8:07:40.6974711 PM","svchost.exe","4520","CloseFile","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","" "8:07:40.6975618 PM","svchost.exe","4520","CreateFile","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: No Buffering, Synchronous IO Non-Alert, Open For Backup, Open No Recall, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened" "8:07:40.6975827 PM","svchost.exe","4520","QueryInformationVolume","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","VolumeCreationTime: 2/13/2009 8:55:04 AM, VolumeSerialNumber: 74F2-6BDE, SupportsObjects: True, VolumeLabel: " "8:07:40.6975896 PM","svchost.exe","4520","QueryAllInformationFile","C:\MinGW\go\doc\progs\8.out.exe","BUFFER OVERFLOW","CreationTime: 7/6/2011 8:07:40 PM, LastAccessTime: 7/6/2011 8:07:40 PM, LastWriteTime: 7/6/2011 8:07:40 PM, ChangeTime: 7/6/2011 8:07:40 PM, FileAttributes: A, AllocationSize: 970,752, EndOfFile: 969,728, NumberOfLinks: 1, DeletePending: False, Directory: False, IndexNumber: 0x2500000003ed60, EaSize: 0, Access: Read Attributes, Synchronize, Position: 0, Mode: No Buffering, Synchronous IO Non-Alert, AlignmentRequirement: Word" "8:07:40.6975969 PM","svchost.exe","4520","QueryInformationVolume","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","VolumeCreationTime: 2/13/2009 8:55:04 AM, VolumeSerialNumber: 74F2-6BDE, SupportsObjects: True, VolumeLabel: " "8:07:40.6976017 PM","svchost.exe","4520","QueryAllInformationFile","C:\MinGW\go\doc\progs\8.out.exe","BUFFER OVERFLOW","CreationTime: 7/6/2011 8:07:40 PM, LastAccessTime: 7/6/2011 8:07:40 PM, LastWriteTime: 7/6/2011 8:07:40 PM, ChangeTime: 7/6/2011 8:07:40 PM, FileAttributes: A, AllocationSize: 970,752, EndOfFile: 969,728, NumberOfLinks: 1, DeletePending: False, Directory: False, IndexNumber: 0x2500000003ed60, EaSize: 0, Access: Read Attributes, Synchronize, Position: 0, Mode: No Buffering, Synchronous IO Non-Alert, AlignmentRequirement: Word" "8:07:40.6976079 PM","svchost.exe","4520","CloseFile","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","" "8:07:40.6977001 PM","svchost.exe","4520","CreateFile","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: No Buffering, Synchronous IO Non-Alert, Open For Backup, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened" "8:07:40.6977236 PM","svchost.exe","4520","QueryInformationVolume","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","VolumeCreationTime: 2/13/2009 8:55:04 AM, VolumeSerialNumber: 74F2-6BDE, SupportsObjects: True, VolumeLabel: " "8:07:40.6977302 PM","svchost.exe","4520","QueryAllInformationFile","C:\MinGW\go\doc\progs\8.out.exe","BUFFER OVERFLOW","CreationTime: 7/6/2011 8:07:40 PM, LastAccessTime: 7/6/2011 8:07:40 PM, LastWriteTime: 7/6/2011 8:07:40 PM, ChangeTime: 7/6/2011 8:07:40 PM, FileAttributes: A, AllocationSize: 970,752, EndOfFile: 969,728, NumberOfLinks: 1, DeletePending: False, Directory: False, IndexNumber: 0x2500000003ed60, EaSize: 0, Access: Read Attributes, Synchronize, Position: 0, Mode: No Buffering, Synchronous IO Non-Alert, AlignmentRequirement: Word" "8:07:40.6977382 PM","svchost.exe","4520","CloseFile","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","" "8:07:40.6978323 PM","svchost.exe","4520","CreateFile","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: No Buffering, Synchronous IO Non-Alert, Open For Backup, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened" "8:07:40.6978531 PM","svchost.exe","4520","FileSystemControl","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","Control: FSCTL_READ_FILE_USN_DATA" "8:07:40.6978626 PM","svchost.exe","4520","CloseFile","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","" "8:07:40.6980050 PM","svchost.exe","4520","CreateFile","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","Desired Access: Read Attributes, Disposition: Open, Options: Open For Backup, Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened" "8:07:40.6980215 PM","svchost.exe","4520","QueryNetworkOpenInformationFile","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","CreationTime: 7/6/2011 8:07:40 PM, LastAccessTime: 7/6/2011 8:07:40 PM, LastWriteTime: 7/6/2011 8:07:40 PM, ChangeTime: 7/6/2011 8:07:40 PM, AllocationSize: 1/1/1601 10:00:00 AM, EndOfFile: 1/1/1601 10:00:00 AM, FileAttributes: A" "8:07:40.6980259 PM","svchost.exe","4520","CloseFile","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","" "8:07:40.6982055 PM","8.out.exe","5716","QueryNameInformationFile","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","Name: \MinGW\go\doc\progs\8.out.exe" "8:07:40.6988002 PM","svchost.exe","4520","CreateFile","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Open For Backup, Open No Recall, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened" "8:07:40.6988456 PM","svchost.exe","4520","FileSystemControl","C:\MinGW\go\doc\progs\8.out.exe","OPLOCK NOT GRANTED","Control: FSCTL_REQUEST_FILTER_OPLOCK" "8:07:40.6988544 PM","svchost.exe","4520","FileSystemControl","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","Control: FSCTL_REQUEST_OPLOCK_LEVEL_2" "8:07:40.6988614 PM","svchost.exe","4520","CloseFile","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","" "8:07:40.6989594 PM","svchost.exe","4520","CreateFile","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Random Access, Open No Recall, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened" "8:07:40.6989832 PM","svchost.exe","4520","QueryBasicInformationFile","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","CreationTime: 7/6/2011 8:07:40 PM, LastAccessTime: 7/6/2011 8:07:40 PM, LastWriteTime: 7/6/2011 8:07:40 PM, ChangeTime: 7/6/2011 8:07:40 PM, FileAttributes: A" "8:07:40.6989876 PM","svchost.exe","4520","QueryStandardInformationFile","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","AllocationSize: 970,752, EndOfFile: 969,728, NumberOfLinks: 1, DeletePending: False, Directory: False" "8:07:40.6989960 PM","svchost.exe","4520","ReadFile","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","Offset: 0, Length: 4,096, Priority: Very Low" "8:07:40.6991560 PM","svchost.exe","4520","ReadFile","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","Offset: 53,248, Length: 4,096, Priority: Very Low" "8:07:40.6991805 PM","svchost.exe","4520","ReadFile","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","Offset: 966,656, Length: 3,072, Priority: Very Low" "8:07:40.6992178 PM","svchost.exe","4520","ReadFile","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","Offset: 712,704, Length: 4,096, Priority: Very Low" "8:07:40.6992409 PM","svchost.exe","4520","ReadFile","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","Offset: 716,800, Length: 4,096, Priority: Very Low" "8:07:40.6992679 PM","svchost.exe","4520","ReadFile","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","Offset: 4,096, Length: 4,096, Priority: Very Low" "8:07:40.6992884 PM","svchost.exe","4520","ReadFile","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","Offset: 49,152, Length: 4,096, Priority: Very Low" ... "8:07:40.7263195 PM","svchost.exe","4520","ReadFile","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","Offset: 372,736, Length: 8,192, Priority: Very Low" "8:07:40.7265621 PM","svchost.exe","4520","ReadFile","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","Offset: 180,224, Length: 4,096, Priority: Very Low" svchost.exe is still reading 8.out.exe, but now 8l.exe going to reuse it again. 8l.exe deleting 8.out.exe file first: "8:07:40.7280194 PM","8l.exe","4472","CreateFile","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","Desired Access: Read Attributes, Delete, Disposition: Open, Options: Non-Directory File, Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened" "8:07:40.7280940 PM","8l.exe","4472","CreateFile","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Complete If Oplocked, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened" "8:07:40.7281153 PM","8l.exe","4472","QueryFileInternalInformationFile","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","IndexNumber: 0x2500000003ed60" "8:07:40.7281233 PM","8l.exe","4472","CloseFile","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","" "8:07:40.7281603 PM","8l.exe","4472","QueryAttributeTagFile","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","Attributes: A, ReparseTag: 0x0" "8:07:40.7281687 PM","8l.exe","4472","SetDispositionInformationFile","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","Delete: True" "8:07:40.7282364 PM","8l.exe","4472","CloseFile","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","" 8l.exe deletes 8.out.exe file by opening it with CreateFile API with FILE_FLAG_DELETE_ON_CLOSE flag followed by CloseHandle. This does not delete file immediately, because it is still used by svchost.exe, but Windows schedules to delete the file as soon as possible. 8l.exe, thinking that it has deleted file (it was given SUCCESS), now trying to create file again: "8:07:40.7283337 PM","8l.exe","4472","CreateFile","C:\MinGW\go\doc\progs\8.out.exe","DELETE PENDING","Desired Access: Generic Write, Read Attributes, Disposition: OverwriteIf, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: 0" "8:07:40.7284058 PM","8l.exe","4472","CreateFile","C:\MinGW\go\doc\progs\8.out.exe","DELETE PENDING","Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Complete If Oplocked, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a" It fails with "DELETE PENDING", because svchost.exe is still fiddling with our file: "8:07:40.7314335 PM","svchost.exe","4520","ReadFile","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","Offset: 184,320, Length: 4,096, Priority: Very Low" "8:07:40.7326229 PM","svchost.exe","4520","ReadFile","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","Offset: 188,416, Length: 8,192, Priority: Very Low" "8:07:40.7350126 PM","svchost.exe","4520","ReadFile","C:\MinGW\go\doc\progs\8.out.exe","SUCCESS","Offset: 409,600, Length: 16,384, Priority: Very Low" ...