{"id":13437750,"url":"https://github.com/spieglt/whatfiles","last_synced_at":"2025-05-16T18:06:12.211Z","repository":{"id":49587345,"uuid":"270444525","full_name":"spieglt/whatfiles","owner":"spieglt","description":"Log what files are accessed by any Linux process","archived":false,"fork":false,"pushed_at":"2025-05-13T02:38:37.000Z","size":57,"stargazers_count":943,"open_issues_count":0,"forks_count":32,"subscribers_count":14,"default_branch":"master","last_synced_at":"2025-05-16T18:05:34.890Z","etag":null,"topics":["digital-forensics","filesystem-events","linux-utilities"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/spieglt.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-06-07T22:01:47.000Z","updated_at":"2025-04-27T07:20:33.000Z","dependencies_parsed_at":"2024-10-27T21:26:07.951Z","dependency_job_id":"32988c40-f646-4398-9aeb-b7c2f5b57fd4","html_url":"https://github.com/spieglt/whatfiles","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spieglt%2Fwhatfiles","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spieglt%2Fwhatfiles/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spieglt%2Fwhatfiles/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/spieglt%2Fwhatfiles/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/spieglt","download_url":"https://codeload.github.com/spieglt/whatfiles/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254582904,"owners_count":22095518,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["digital-forensics","filesystem-events","linux-utilities"],"created_at":"2024-07-31T03:00:59.966Z","updated_at":"2025-05-16T18:06:12.183Z","avatar_url":"https://github.com/spieglt.png","language":"C","funding_links":[],"categories":["C","\u003ca name=\"debug\"\u003e\u003c/a\u003edebug"],"sub_categories":[],"readme":"# whatfiles\nWhatfiles is a Linux utility that logs what files another program reads/writes/creates/deletes on your system. It traces any new processes and threads that are created by the targeted process as well.\n\n## Rationale:\nI've long been frustrated at the lack of a simple utility to see which files a process touches from `main()` to exit. Whether you don't trust a software vendor or are concerned about malware, it's important to be able to know what a program or installer does to your system. `lsof` only observes a moment in time and `strace` is large and somewhat complicated.\n\n## Sample output:\n```\nmode:  read, file: /home/theron/.gimp-2.8/tool-options/gimp-clone-tool, syscall: openat(), PID: 8566, process: gimp\nmode:  read, file: /home/theron/.gimp-2.8/tool-options/gimp-heal-tool, syscall: openat(), PID: 8566, process: gimp\nmode:  read, file: /home/theron/.gimp-2.8/tool-options/gimp-perspective-clone-tool, syscall: openat(), PID: 8566, process: gimp\nmode:  read, file: /home/theron/.gimp-2.8/tool-options/gimp-convolve-tool, syscall: openat(), PID: 8566, process: gimp\nmode:  read, file: /home/theron/.gimp-2.8/tool-options/gimp-smudge-tool, syscall: openat(), PID: 8566, process: gimp\nmode:  read, file: /home/theron/.gimp-2.8/tool-options/gimp-dodge-burn-tool, syscall: openat(), PID: 8566, process: gimp\nmode:  read, file: /home/theron/.gimp-2.8/tool-options/gimp-desaturate-tool, syscall: openat(), PID: 8566, process: gimp\nmode:  read, file: /home/theron/.gimp-2.8/plug-ins, syscall: openat(), PID: 8566, process: gimp\nmode:  read, file: /usr/lib/gimp/2.0/plug-ins, syscall: openat(), PID: 8566, process: gimp\nmode:  read, file: /home/theron/.gimp-2.8/pluginrc, syscall: openat(), PID: 8566, process: gimp\nmode:  read, file: /usr/share/locale/en_US/LC_MESSAGES/gimp20-std-plug-ins.mo, syscall: openat(), PID: 8566, process: gimp\nmode:  read, file: /usr/lib/gimp/2.0/plug-ins/script-fu, syscall: openat(), PID: 8566, process: gimp\nmode:  read, file: /etc/ld.so.cache, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fu\nmode:  read, file: /etc/ld.so.cache, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fu\nmode:  read, file: /usr/lib/libgimpui-2.0.so.0, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fu\nmode:  read, file: /usr/lib/libgimpwidgets-2.0.so.0, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fu\nmode:  read, file: /usr/lib/libgimpwidgets-2.0.so.0, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fu\nmode:  read, file: /usr/lib/libgimp-2.0.so.0, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fu\nmode:  read, file: /usr/lib/libgimpcolor-2.0.so.0, syscall: openat(), PID: 8574, process: /usr/lib/gimp/2.0/plug-ins/script-fu\n```\n\n## Use:\n\n- basic use, launches `ls` and writes output to a log file in the current directory:\n\n    `$ whatfiles ls -lah ~/Documents`\n\n- specify output file location with `-o`:\n\n    `$ whatfiles -o MyLogFile cd ..`\n\n- include debug output, print to stdout rather than log file:\n\n    `$ whatfiles -d -s apt install zoom`\n\n- attach to currently running process (requires root privileges):\n\n    `$ sudo whatfiles -p 1234`\n    \n## Distribution\nReady-to-use binaries are on the [releases](https://github.com/spieglt/whatfiles/releases) page! Someone also kindly added it to the [Arch](https://aur.archlinux.org/packages/whatfiles-git/) repository, and [letompouce](https://github.com/letompouce) set up a [GitLab](https://gitlab.com/l3tompouce/builders/whatfiles) pipeline as well.\n\n## Compilation (requires `gcc` and `make`):\n```\n$ cd whatfiles\n$ make\n$ sudo make install\n```\nSupports x86, x86_64, ARM32, and ARM64 architectures.\n\n## Questions that could be asked at some point:\n\n- _Isn't this just a reimplementation of `strace -fe trace=creat,open,openat,unlink,unlinkat ./program`?_\n\n  Yes. Though it aims to be simpler and more user friendly.\n\n- _Are there Mac and Windows versions?_\n\n  No. Tracing syscalls on Mac requires `task_for_pid()`, which requires code signing, which I can't get to work, and anyway I have no interest in paying Apple $100/year to write free software. `dtruss` on Mac can be used to follow a single process and its children, though the `-t` flag seems to only accept a single syscall to filter on. `fs_usage` does something similar though I'm not sure if it follows child processes/threads. Process Monitor for Windows is pretty great.\n\n## Known issues:\n\n- Tabs crash when `whatfiles` is used to launch Firefox. (Attaching with `-p [PID]` once it's running works fine, as does using `whatfiles` to launch a second Firefox window if one's already open.)\n\n## Planned features:\n\n- None currently, open to requests and PRs.\n\nThank you for your interest, and please also check out [Cloaker](https://github.com/spieglt/cloaker), [Nestur](https://github.com/spieglt/nestur), and [Flying Carpet](https://github.com/spieglt/flyingcarpet)!\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspieglt%2Fwhatfiles","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fspieglt%2Fwhatfiles","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fspieglt%2Fwhatfiles/lists"}