Copyright © 1998 Mark Russinovich and Bryce Cogswell | |
Last
Updated April 22, 1998 V3.42
|
|
Introduction | Filemon
is a file system monitor for Windows 95 that displays detailed
information about every file system access that takes place. See our
Filemon for Windows NT program for
an equivalent program for Windows NT.
Version 3.4 has time-stamping and measurement capability. |
Sample Screen Shot | This is a screenshot of Filemon watching file system activity |
Installation and Use |
Install
Filemon by copying Filevxd.vxd and Filemon.exe to the same
directory on your hard drive, and start it by running Filemon.exe from
that directory. The GUI dynamically loads the virtual device driver
(VxD), which starts filtering all file system accesses. The menus and
tool bar buttons can be used to toggle on and off monitoring, disable
event capturing, control the scrolling of the listview, and save the
listview contents to an ASCII file.
Filemon V3.0 allows you to set filters on processes that are logged, as well as paths. Both process and path filters take expressions similar to what the command prompt takes: you can specify names with '*' representing wild cards. The "Path Include" filter represents path names that will be monitored and the "Path Exclude" filter represents path names that will not be monitored. Where there is overlap, Path Exclude overrides. Note that the filters are intrepreted in a case-*in*sensitive manner. For example, if you do not want to see paging file activity you could specify "*pagefile*" as the "Path Exclude" filter. If you only want to see activity to the c:\temp directory, set "c:\temp*" as the Path Include filter. If you set both of these filters and a paging file is in C:\temp, activity to the paging file would not be logged whereas activity to the other files and directories in c:\temp would be. By default, the filters are set up to watch all file system activity. The process filter is "*", the Path Include filter is "*", and the Path Exclude filter is empty (""). If you wish to see the contents of a field that is partially obscured because the listview column it is in is to narraw, just right-click on it. You'll get a tool-tip containing the entire text of the field. To remove the tool-tip move the mouse over it, or pop up another one. |
How Filemon Works |
The
heart of Filemon is in the virtual device driver, Filevxd.vxd.
It is dynamically loaded, and in its initialization it installs a file
system filter via the VxD service, IFSMGR_InstallFileSystemApiHook,
to insert itself onto the call chain of all file system requests.
When Filemon sees an open, create or close call, it updates an internal hash table that serves as the mapping between internal file handles and file path names. Whenever it sees calls that are handle based, it looks up the handle in the hash table to obtain the full name for display. If a handle-based access references a file opened before Filemon started, Filemon will fail to find the mapping in it hash table and will simply present the handle's value instead. Information on accesses is dumped into an ASCII buffer that is periodically copied up to the GUI for it to print in its listbox. |
More Information |
The
following serve as additional sources of information on the Windows 95
file system:
|
|
|