I say somewhere, because usually the process is gone by the time I check my stats, and I'm not dumping all the data.
(It usually nabs about 130 megabytes per night).
Well, I managed to nab it in action yesterday morning.
Unfortunately, in my haste I killed the app before taking a dump of the image (derp).
Apparently the image name changes. It seems like it may be using the last image name that the user used.
For example, it shows up as "delete multiple items" if the last thing I did was shift+delete.
I've been trying to nab it in action again since then, but I can't think of a way to get a handle on it.
I might be forced to just write a program that uses windows performance counters to check for IO throughput, and save the associated image.
I could leave wireshark running, but that would dump an insane amount of data, and I wouldn't even know where to que into it to inspect what was going out. (I'm not a wireshark guru though, if anyone knows how I should do this, let me know
).I want to figure out what files the app is accessing (which I'll do with procmon), but also want to dump all the outbound data to a file and analyze the packets. This may be hard since the image isn't consistently named.
Anyone have/recommend any tools for this? Something like wireshark, but more easily triggered on a few different criteria such as : screensaver active && uploading > 20k/s, etc?
I'm not trying to stop it just yet. I want to learn as much about it as I can before whacking it.
-scheherazade
