Trying to hook vm operations (from host to vm). Virtual box uses xdndl protocol. But could not find a way to do it?
No idea but I’d expect the behavior to be different depending on the hypervisor. And for sure from a file system filter you’re only going to see the guest service running in the VM creating the file and writing it (which maybe would be a “good enough” heuristic depending on what you’re trying to accomplish) overall.
Thanks scott, that’s exactly what I saw on process monitor.