I'm running a C# Windows Service on Windows 10 that is constantly polling (each 5ms) for current running processes and for each of the processes is getting its fingerprint which consists in the creation date, size and MD5 checksum. The service start is set to automatic.
For getting the creation date I'm using:
File.GetCreationTime(absolutePathToProcess)
To get the checksum I'm doing:
using (var md5 = System.Security.Cryptography.MD5.Create())
{
using (var stream = File.OpenRead(absolutePathToProcess))
{
var hash = md5.ComputeHash(stream);
return (hash);
}
}
All runs smooth except at the Windows startup, when for the processes started from c:\windows\system32\ (e.g. svchost.exe, wininit.exe, csrss.exe, wudfhost.exe etc.) I'm getting System.IO.IOException The media is write protected, both for creation date and checksum. This does not happen regularly, only for some boots, and after just a few polls cycles the exception is not received anymore. The service has no order dependency set. Is there a protection that is applied to the files from system32 at the startup which is later removed?
Windows File Protection is my guess (WFP).
Windows scans all files subject to WFP on various triggers and (I assume) one such occasion would have to be on startup (in case files were changed while switched off or running under another OS).
Instead of
FileStream.OpenRead()you might like instead to tryFile.Open(..., FileAccess.Read, FileShare.Write), which should allow a process like WFP which needs to replace a file to do so while you are reading it... which is probably a bad idea. A bit of exception handling and keeping track of files that couldn't be hashed to revisit in subsequent iterations is probably a smarter idea.