How to trace all files opened by a process and its child processes?

I tried Sys开发者_运维技巧internals - Process Monitor, but there is no way to dynamically attach filters for child processes

To make it programming related: you can use Import Address Table Hooking and dole out your own implementation :-)

If you are looking for a tool, I believe someone has already done that for you: StraceNT: A system call tracer for Windows.

The website claims it is an strace clone and strace supports tracing child processes (I haven't used this tool myself, so not sure of the claim).

(strace is a utility available on linux environments, which allows you to trace system calls, I suppose that explains the name straceNT).

Hope that helps!

Try OpenedFilesView from Nirsoft. http://www.nirsoft.net/utils/opened_files_view.html

The download is on the bottom of the page. (Actually hard to find)

Try Process Monitor. http://technet.microsoft.com/en-in/sysinternals/bb896645.aspx by Microsoft.