[NTFilemon Logo]
Copyright © 1997 Mark Russinovich and Bryce Cogswell
Last Updated August 11, 1997
NTFilemon - File System Monitor V3.1
Introduction NTFilemon is a Windows NT device driver/GUI
combination for NT 3.51 and NT 4.0 that together
log and display all file system activity on a
Windows NT system. The device driver is a type of
driver known as a filter driver. It layers itself
above the file system drivers so that it can see
I/O requests pass down to, and return from, file
systems such as NTFS, FASTFAT, CDFS, NWRDR, RAM
drives and any other type of file system driver
that has an associated drive letter.
Version 3.0 includes some minor bug fixes, further
improved code, and major usability enhancements
including a toolbar and output search
capabilities.
Installation and Use Installing NTFilemon is as easy as unzipping it
and typing, "ntfilmon." The GUI dynamically loads
the driver (based on code from the instdrv sample
in the Windows NT DDK), which starts filtering all
non-removable drives. The menus and tool bar
buttons can be used to set up process and path
filters, toggle on and off the filtering of
specific drives, and also to disable event
capturing, control the scrolling of the listview,
and to save the listview contents to an ASCII
file.
NTFilemon V3.0 allows you to set filters on
processes that are logged, as well as paths. Both
process and path filters take expressions similar
to what the command prompt takes: you can specify
names with '*' representing wild cards. The "Path
Include" filter represents path names that will be
monitored and the "Path Exclude" filter represents
path names that will not be monitored. Where there
is overlap, Path Exclude overrides. Note that the
filters are intrepreted in a case-*in*sensitive
manner.
For example, if you do not want to see paging file
activity you could specify "*pagefile*" as the
"Path Exclude" filter. If you only want to see
activity to the c:\temp directory, set "c:\temp*"
as the Path Include filter. If you set both of
these filters and a paging file is in C:\temp,
activity to the paging file would not be logged
whereas activity to the other files and
directories in c:\temp would be.
By default, the filters are set up to watch all
file system activity. The process filter is "*",
the Path Include filter is "*", and the Path
Exclude filter is empty ("").
Sample Screenshot This is a screenshot of NTFilemon filtering
drives.
More Information Unfortunately, there is not that much good
published information on the Windows NT file
system. The best sources of information are
ntddk.h in the Windows NT DDK, and Helen Custer's
Inside Windows NT.
For more detailed information on how NTFilemon
works, see:
* "Examining The Windows NT File System," by
Mark Russinovich and Bryce Cogswell, Dr.
Dobb's Journal, Febrary 1997
------------------------------------------------------------------------
Download NTFileMon (x86) (41KB)
Download NTFileMon (Alpha) (83KB)
Download NTFileMon Source (141KB)
[Image]