But first, a word from our sponsor, O'Reilly & Associates... [WebBoard, Web Conferencing System Software]
WebBoard, Web conferencing system software from O'Reilly

Windows NT File Monitor

Copyright (C) 1996, Mark Russinovich and Bryce Cogswell

FILEMON is a Windows NT GUI/device driver combination that intercepts and displays information about all file system activity on a Windows NT system. File systems monitored include FAT, HPFS, NTFS, CDFS, network redirectors and ram drives. Information displayed includes the request type, full pathname of the request target file, return status, and additional information specific to the request, such as read/write offsets and lengths. Even direct access of drives performed by utilities such as FORMAT and CHKDSK are visible to FILEMON.

Click here to
download NTFMON.ZIP

Also see the excellent Windows 95 File Monitor by Stan Mitchell

Installation and Usage

Running FILEMON is as easy as typing "FILEMON" in the install directory. The FILEMON device driver, FILEMON.SYS, is automatically loaded and then unloaded when FILEMON exits.

By default, FILEMON monitors all non-removable drives on the system. The DRIVES menu indicates which drives are being watched by check-marking those drives. The monitoring status of a drive, such as a removable drive like a floppy, can be toggled at any time by selecting the drive letter in the DRIVES menu.

Implementation

At startup, the Filemon GUI (filemon.exe) passes to the Filemon device driver (filemon.sys) a list of logical drive letters a system has on it. The driver determines, via a method similar to the one the NT kernel uses, what device object is used to represent the logical drive. This method consists of opening the root directory of the drive, obtaining the file object from the returned file handle (ObReferenceObjectByHandle), and then getting the file object's related device object (IoGetRelatedDeviceObject).

Next, Filemon creates a hook device object with IoCreateDevice; it attaches this object to the drive's device object, using IoAttachDeviceByPointer. This insures that Filemon will see all file system requests directed at the drive before the logical drive's file system driver sees the request.

When Filemon sees a request (the IO request packet [IRP] is passed to Filemon as part of the hook procedure's parameters), it extracts the request parameters and registers a completion routine (using IoSetCompletionRoutine) for the request so it can view the request's return status.

The Filemon GUI periodically performs a DeviceIoControl to the Filemon device driver, at which time the drive copies the latest batch of request information into a GUI-supplied buffer.

Reaching Us

Mark can be reached at markr@numega.com and Bryce can be reached at cogswell@cs.uoregon.edu.

Visit these O'Reilly online areas:

[O'Reilly Home] Our homepage, with product information, feature articles, and more.

[WebSite Home Page] WebSite Central, home of O'Reilly's hot, new, Windows Web server.

[O'Reilly Windows Center] The O'Reilly Windows Center has Win 95 programming information, articles, and links. FTP site, with newer versions.