Whatfiles is a Linux utility that logs what files another program reads/writes/creates/deletes on your system. It traces any new processes and threads that are created by the targeted process as well.
I’ve long been frustrated at the lack of a simple utility to see which files a process touches from main()
to exit. Whether you don’t trust a software vendor or are concerned about malware, it’s important to be able to know what a program or installer does to your system. lsof
only observes a moment in time and strace
is large and somewhat complicated.
mode: read, file: /home/theron/.gimp-2.8/tool-options/gimp-clone-tool, syscall: openat(), PID: 8566, process: gimp
mode: read, file: /home/theron/.gimp-2.8/tool-options/gimp-heal-tool, syscall: openat(), PID: 8566, process: gimp
mode: read, file: /home/theron/.gimp-2.8/tool-options/gimp-perspective-clone-tool, syscall: openat(), PID: 8566, process: gimp
mode: read, file: /home/theron/.gimp-2.8/tool-options/gimp-convolve-tool, syscall: openat(), PID: 8566, process: gimp
mode: read, file: /home/theron/.gimp-2.8/tool-options/gimp-smudge-tool, syscall: openat(), PID: 8566, process: gimp
mode: read, file: /home/theron/.gimp-2.8/tool-options/gimp-dodge-burn-tool, syscall: openat(), PID: 8566, process: gimp
mode: read, file: /home/theron/.gimp-2.8/tool-options/gimp-desaturate-tool, syscall: openat(), PID: 8566, process: gimp
mode: read, file: /home/theron/.gimp-2.8/plug-ins, syscall: openat(), PID: 8566, process: gimp
mode: read, file: /usr/lib/gimp/2.0/plug-ins, syscall: openat(), PID: 8566, process: gimp
mode: read, file: /home/theron/.gimp-2.8/pluginrc, syscall: openat(), PID: 8566, process: gimp
mode: read, file: /usr/share/locale/en_US/LC_MESSAGES/gimp20-std-plug-ins.mo, syscall: openat(), PID: 8566, process: gimp
mode: read, file: /usr/lib/gimp/2.0/plug-ins/script-fu, syscall: openat(), PID: 8566, process: gimp
mode: read, file: /etc/ld.so.cache, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fu
mode: read, file: /etc/ld.so.cache, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fu
mode: read, file: /usr/lib/libgimpui-2.0.so.0, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fu
mode: read, file: /usr/lib/libgimpwidgets-2.0.so.0, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fu
mode: read, file: /usr/lib/libgimpwidgets-2.0.so.0, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fu
mode: read, file: /usr/lib/libgimp-2.0.so.0, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fu
mode: read, file: /usr/lib/libgimpcolor-2.0.so.0, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fu
Use
ls
and writes output to a log file in the current directory:$ whatfiles ls -lah ~/Documents
-o
:$ whatfiles -o MyLogFile cd ..
$ whatfiles -d -s apt install zoom
$ sudo whatfiles -p 1234
Compilation (requires gcc
and make
)
$ cd whatfiles
$ make
$ sudo make install
Pingora is a cutting-edge Rust framework designed to build fast, reliable, and programmable networked systems.…
DockerSpy is a powerful tool designed to perform Open Source Intelligence (OSINT) on Docker Hub,…
Anki is a powerful, open-source flashcard software designed to enhance learning and memory retention through…
Rolldown is an innovative JavaScript/TypeScript bundler written in Rust, designed to revolutionize the development workflow…
Invoke-ArgFuscator is an open-source, cross-platform PowerShell module designed to obfuscate command-line arguments for system-native executables.…
Morgan is an advanced JavaScript security analyzer designed to detect and mitigate sensitive data exposure…