[NTFilemon Logo] Copyright © 1997 Mark Russinovich and Bryce Cogswell Last Updated August 11, 1997 NTFilemon - File System Monitor V3.1 Introduction NTFilemon is a Windows NT device driver/GUI combination for NT 3.51 and NT 4.0 that together log and display all file system activity on a Windows NT system. The device driver is a type of driver known as a filter driver. It layers itself above the file system drivers so that it can see I/O requests pass down to, and return from, file systems such as NTFS, FASTFAT, CDFS, NWRDR, RAM drives and any other type of file system driver that has an associated drive letter. Version 3.0 includes some minor bug fixes, further improved code, and major usability enhancements including a toolbar and output search capabilities. Installation and Use Installing NTFilemon is as easy as unzipping it and typing, "ntfilmon." The GUI dynamically loads the driver (based on code from the instdrv sample in the Windows NT DDK), which starts filtering all non-removable drives. The menus and tool bar buttons can be used to set up process and path filters, toggle on and off the filtering of specific drives, and also to disable event capturing, control the scrolling of the listview, and to save the listview contents to an ASCII file. NTFilemon V3.0 allows you to set filters on processes that are logged, as well as paths. Both process and path filters take expressions similar to what the command prompt takes: you can specify names with '*' representing wild cards. The "Path Include" filter represents path names that will be monitored and the "Path Exclude" filter represents path names that will not be monitored. Where there is overlap, Path Exclude overrides. Note that the filters are intrepreted in a case-*in*sensitive manner. For example, if you do not want to see paging file activity you could specify "*pagefile*" as the "Path Exclude" filter. If you only want to see activity to the c:\temp directory, set "c:\temp*" as the Path Include filter. If you set both of these filters and a paging file is in C:\temp, activity to the paging file would not be logged whereas activity to the other files and directories in c:\temp would be. By default, the filters are set up to watch all file system activity. The process filter is "*", the Path Include filter is "*", and the Path Exclude filter is empty (""). Sample Screenshot This is a screenshot of NTFilemon filtering drives. More Information Unfortunately, there is not that much good published information on the Windows NT file system. The best sources of information are ntddk.h in the Windows NT DDK, and Helen Custer's Inside Windows NT. For more detailed information on how NTFilemon works, see: * "Examining The Windows NT File System," by Mark Russinovich and Bryce Cogswell, Dr. Dobb's Journal, Febrary 1997 ------------------------------------------------------------------------ Download NTFileMon (x86) (41KB) Download NTFileMon (Alpha) (83KB) Download NTFileMon Source (141KB) [Image]