How does the Sysinternals process monitor control the activity of an IO file, how is it? If you include advanced information, you will see that calls that were previously shown as CreateFile now display as IRP_MJ_CREATE, which means that it intercepts some things with a rather low level. Does anyone know what it hooked / how it works?
source
share