Filemon For Windows NT


Copyright © 1998 Mark Russinovich and Bryce Cogswell
Last Updated April 5, 1998 V3.4
Introduction	Filemon for Windows NT is a Windows NT device driver/GUI combination for NT 3.51 and NT 4.0 that together log and display all file system activity on a Windows NT system. The device driver is a type of driver known as a filter driver. It layers itself above the file system drivers so that it can see I/O requests pass down to, and return from, file systems such as NTFS, FASTFAT, CDFS, NWRDR, RAM drives and any other type of file system driver that has an associated drive letter. Version 3.4 includes time-stamping and measurement capability.
Installation and Use	Installing Filemon for Windows NT is as easy as unzipping it and typing, "ntfilmon." The GUI dynamically loads the driver (based on code from the instdrv sample in the Windows NT DDK), which starts filtering all non-removable drives. The menus and tool bar buttons can be used to set up process and path filters, toggle on and off the filtering of specific drives, and also to disable event capturing, control the scrolling of the listview, and to save the listview contents to an ASCII file. Filemon for Windows NT V3.0 allows you to set filters on processes that are logged, as well as paths. Both process and path filters take expressions similar to what the command prompt takes: you can specify names with '' representing wild cards. The "Path Include" filter represents path names that will be monitored and the "Path Exclude" filter represents path names that will not be monitored. Where there is overlap, Path Exclude overrides. Note that the filters are intrepreted in a case-insensitive manner. For example, if you do not want to see paging file activity you could specify "pagefile" as the "Path Exclude" filter. If you only want to see activity to the c:\temp directory, set "c:\temp" as the Path Include filter. If you set both of these filters and a paging file is in C:\temp, activity to the paging file would not be logged whereas activity to the other files and directories in c:\temp would be. By default, the filters are set up to watch all file system activity. The process filter is "", the Path Include filter is "", and the Path Exclude filter is empty (""). If you wish to see the contents of a field that is partially obscured because the listview column it is in is to narraw, just right-click on it. You'll get a tool-tip containing the entire text of the field. To remove the tool-tip move the mouse over it, or pop up another one.
Sample Screenshot	This is a screenshot of Filemon for Windows NT filtering drives.
More Information	Unfortunately, there is not that much good published information on the Windows NT file system. The best sources of information are ntddk.h in the Windows NT DDK, and Helen Custer's Inside Windows NT. For more detailed information on how Filemon for Windows NT works, see: "Examining The Windows NT File System," by Mark Russinovich and Bryce Cogswell, Dr. Dobb's Journal, Febrary 1997
Download Filemon for Windows NT (x86) (41KB) Download Filemon for Windows NT (Alpha) (83KB) Download Filemon for Windows NT Source (141KB)