Don't know what procedures are in "C: \ Users \ Public \ Desktop" create a shortcut "free novels", a day after deletion will be recreated.
Now I want to watch this file is created which program, have what way?

CodePudding user response:

This method also can not find, you might as well open the task manager, see if there are any more strange process in details, don't know just right-click to open the file location, should spend much time to find those malicious software,

CodePudding user response:

Using FileMon software
Call API ReadDirectoryChangesW
.

CodePudding user response:

Now belong to the Microsoft Sysinternal components in the Procmon. Exe program can, Patn set to ends with contents is. LNK, and two Operation for CreateFile filtering rules; The Filter dropdown menu to select the Drop Filtered Events,