Process Monitor causing additional SMB requests?

 Author Message    Topic Search   Topic Options pwmealey Newbie Joined: 09 November 2017 Status: Offline Points: 2 Post Options    Thanks(0)    Quote  Reply Topic: Process Monitor causing additional SMB requests?    Posted: 09 November 2017 at 6:10pm I am monitoring the behavior of an application that is accessing a network file share using procmon and WireShark and I have noticed that the network traces that I capture while procmon is running are dffierent than the network traces that I capture when procmon is not running.  Specifically, the traces taken when procmon is running contain SMB "find" requests with a search string of "*" for each directory in the path to a file that is accessed.  For example, if my application opens a file at "\\fileserver\share\$\a\b\c\d.txt", the network trace shows that SMB find requests were issued for \\fileserver\share\$, \\fileserver\share\$\a, \\fileserver\share\$\a\b, and \\fileserver\share\$\a\b\c.  There are also a corresponding set of SMB "create" commands issued (the SMB create commands are actually just "open" commands in this context).  Note that these find and create commands only show up in the network trace and do not show up in the procmon output and they only show up in the trace if I am running procmon.Is this expected behavior --in other words, is procmon issuing those additional commands in order to provide additional information about the monitored events?  If not, are you aware of some side effect of monitoring a program that would account for the extra SMB commands?
