In Windows, how can I trace in C which files a child process reads and writes?

As you suggested, this is a fairly simple task to solve with API hooking with DLL injection.

This is a pretty good article about the application: API hooking revealed

I believe you can find more recent articles about the issue.

However, you probably need to use C++ to implement such a utility. By the way, programs can disable DLL injection. For example, I weren't able to use this approach on the trial version of Photoshop.

So, you may want to check if you can inject DLL files in the process you want with an existing solution before you start writing your own.

Please, take a look to the article CDirectoryChangeWatcher - ReadDirectoryChangesW all wrapped up.

It is a very old, but running, way to watch directory changes.

Unfortunately it seems there is no easy way to intercept file level operations on Windows.

Here are some hints:

• you could try to use FileMon from Sysinternals if it is enough for your needs, or try to look at the source of the tool
• you could make use of commercial software like Detours - beware, I never used that myself and I'm not sure it really meets your needs

If you want a better understanding and are not frightened at doing it by hand, the Windows way of intercepting file I/O is using a File System Filter Driver. In fact, there is a FilterManager embedded in Windows system that can forward all file system calls to minifilters.

To build it, the interface with the system is provided by the FilterManager, and you have just (...) to code and install the minifilter that does the actual filtering - beware again never tested that ...