Want to monitor file activity ? Need to display open file by application ? Use FileMon. FileMon monitors and displays file system activity on a time. Its advanced capabilities make it a powerful tool for the way Windows works, seeing how applications use the files and DLLs, or tracking down problems in system or application file configurations.
FileMon`s time stamping feature will show you precisely when every open, read, write or delete, happens, and its status column tells you the outcome. FileMon begins monitoring when you start it, and its output window can be saved to a file for off viewing. It has full search capability, and if you find that information overload, simply set up one or more filters.
How FileMon Works ?
For the Windows 9x driver, the heart of FileMon is in the virtual device driver, Filevxd.vxd. It is dynamically loaded, and in its initialization it installs a file system filter via the VxD service, IFSMGR_InstallFileSystemApiHook, to insert itself onto the call chain of all file system requests. On Windows NT the heart of FileMon is a file system driver that creates and attaches filter device objects to target file system device objects so that FileMon will see all IRPs and FastIO requests directed at drives. When FileMon sees an open, create or close call, it updates an internal hash table that serves as the mapping between internal file handles and file path names. Whenever it sees calls that are handle based, it looks up the handle in the hash table to obtain the full name for display. If a handle-based access references a file opened before FileMon started, FileMon will fail to find the mapping in its hash table and will simply present the handle’s value instead.
Click this link to download Filemon : http://download.sysinternals.com/Files/Filemon.zip
0 comment:
Post a Comment