File and registry changes are one of the important events used to identify malware. Some of the file and registry changes done by malware are explained in Chapter 1, Malware from Fun to Profit. Microsoft Sysinternals have provided regmon and filemon for this purpose. Sysinternal has come up with procmon, which can cover registry and file monitoring. You can download the tool from the Sysinternals website. Here is the link: https://docs.microsoft.com/en-us/sysinternals/downloads/procmon.

The previous image shows reading (ReadFile), closing (CloseFile), and file writing (WriteFile) activity by the process vssvc.exe. vssvc.exe creates the file C:UsersamohantaFavoritesMicrosoft WebsitesMicrosoft Store.url.readme_txt and then writes to it and after writing, closes it.

Procmon can also monitor process activities such as thread start and exit, network connections, and a lot more. It's important to filter the activities, as a lot of system processes make continuous changes to the files and registry. You can create a filter using the funnel menu in the menu bar. Another way to create a filter is by right-clicking a row on the top of the entry you want to include or exclude:

The preceding image shows how to exclude QueryInformationVolume from the results. Microsoft provides detailed documentation about the usage of procmon. Here is the link: https://blogs.technet.microsoft.com/appv/2008/01/24/process-monitor-hands-on-labs-and-examples/.