Does Windows (or NTFS in general) store the name of the application that created a file anywhere?
Alternatively is there a robust way of determining which application is responsible for creating a file soon (a few seconds, say) after it is initially created?
We're working on a document management system. It monitors the FS for new files with FileSystemWatcher - that part's straightforward - but I'd like for it to be able to keep track of which application/version created the new files it detects.
I know I can look for open file handles belonging to running processes but presumably that approach would only work when the app has created the file and then kept the lock on it, right? Is there a better way?
No, not after the fact.
However you could create a service to watch all file accesses and record the information yourself, FileMon from System Internals does this. (It implements a OS driver that sits on top of the NTFS driver)