[Image]
Copyright © 1996-97 Mark Russinovich and Bryce Cogswell
last updated March 3, 1997
NTFilemon - File System Monitor V2.0
Introduction NTFilemon is a Windows NT device driver/GUI
combination for NT 3.51 and NT 4.0 that together log
and display all file system activity on a Windows NT
system. The device driver is a type of driver known
as a filter driver. It layers itself above the file
system drivers so that it can see I/O requests pass
down to, and return from, file systems such as NTFS,
FASTFAT, CDFS, NWRDR, RAM drives and any other type
of file system driver that has an associated drive
letter.
Version 2.0 includes some minor bug fixes, further
improved code, and advanced output filtering
capabilities.
Installation and Installing NTFilemon is as easy as unzipping it and
Use typing, "ntfilmon." The GUI dynamically loads the
driver (based on code from the instdrv sample in the
Windows NT DDK), which starts filtering all
non-removable drives. The menus can be used to set
up process and path filters, toggle on and off the
filtering of specific drives, and also to disable
event capturing, control the scrolling of the
listview, and to save the listview contents to an
ASCII file.
NTFilemon V2.0 allows you to set filters on
processes that are logged, as well as paths. Both
process and path filters take expressions similar to
what the command prompt takes: you can specify names
with '*' representing wild cards. The "Path Include"
filter represents path names that will be monitored
and the "Path Exclude" filter represents path names
that will not be monitored. Where there is overlap,
Path Exclude overrides. Note that the filters are
intrepreted in a case-*in*sensitive manner.
For example, if you do not want to see paging file
activity you could specify "*pagefile*" as the "Path
Exclude" filter. If you only want to see activity to
the c:\temp directory, set "c:\temp*" as the Path
Include filter. If you set both of these filters and
a paging file is in C:\temp, activity to the paging
file would not be logged whereas activity to the
other files and directories in c:\temp would be.
By default, the filters are set up to watch all file
system activity. The process filter is "*", the Path
Include filter is "*", and the Path Exclude filter
is empty ("").
Sample Screen Shot This is a screenshot of NTFilemon filtering drives.
More Information Unfortunately, there is not that much good published
information on the Windows NT file system. The best
sources of information are ntddk.h in the Windows NT
DDK, and Helen Custer's Inside Windows NT.
For more detailed information on how NTFilemon
works, see:
* "Examining The Windows NT File System," by Mark
Russinovich and Bryce Cogswell, Dr. Dobb's
Journal, Febrary 1997
If you need a custom filter driver or file system,
Open Systems Resources, Inc., may be able to help
out. They specialize in custom NT drivers and file
systems.
----------------------------------------------------------------------------
Download NTFilemon (36KB)
Download NTFilemon Source (113KB)
[Image]