[Filemon Logo]
Copyright Š 1998 Mark Russinovich and Bryce Cogswell
Last Updated April 5, 1998 V3.4
------------------------------------------------------------------------
Introduction Filemon for Windows NT is a Windows NT device
driver/GUI combination for NT 3.51 and NT 4.0 that
together log and display all file system activity on a
Windows NT system. The device driver is a type of
driver known as a filter driver. It layers itself
above the file system drivers so that it can see I/O
requests pass down to, and return from, file systems
such as NTFS, FASTFAT, CDFS, NWRDR, RAM drives and any
other type of file system driver that has an
associated drive letter.
Version 3.4 includes time-stamping and measurement
capability.
Installation Installing Filemon for Windows NT is as easy as
and Use unzipping it and typing, "ntfilmon." The GUI
dynamically loads the driver (based on code from the
instdrv sample in the Windows NT DDK), which starts
filtering all non-removable drives. The menus and tool
bar buttons can be used to set up process and path
filters, toggle on and off the filtering of specific
drives, and also to disable event capturing, control
the scrolling of the listview, and to save the
listview contents to an ASCII file.
Filemon for Windows NT V3.0 allows you to set filters
on processes that are logged, as well as paths. Both
process and path filters take expressions similar to
what the command prompt takes: you can specify names
with '*' representing wild cards. The "Path Include"
filter represents path names that will be monitored
and the "Path Exclude" filter represents path names
that will not be monitored. Where there is overlap,
Path Exclude overrides. Note that the filters are
intrepreted in a case-*in*sensitive manner.
For example, if you do not want to see paging file
activity you could specify "*pagefile*" as the "Path
Exclude" filter. If you only want to see activity to
the c:\temp directory, set "c:\temp*" as the Path
Include filter. If you set both of these filters and a
paging file is in C:\temp, activity to the paging file
would not be logged whereas activity to the other
files and directories in c:\temp would be.
By default, the filters are set up to watch all file
system activity. The process filter is "*", the Path
Include filter is "*", and the Path Exclude filter is
empty ("").
If you wish to see the contents of a field that is
partially obscured because the listview column it is
in is to narraw, just right-click on it. You'll get a
tool-tip containing the entire text of the field. To
remove the tool-tip move the mouse over it, or pop up
another one.
Sample This is a screenshot of Filemon for Windows NT
Screenshot filtering drives.
More Unfortunately, there is not that much good published
Information information on the Windows NT file system. The best
sources of information are ntddk.h in the Windows NT
DDK, and Helen Custer's Inside Windows NT.
For more detailed information on how Filemon for
Windows NT works, see:
* "Examining The Windows NT File System," by Mark
Russinovich and Bryce Cogswell, Dr. Dobb's
Journal, Febrary 1997
------------------------------------------------------------------------
Download Filemon for Windows NT (x86) (41KB)
Download Filemon for Windows NT (Alpha) (83KB)
Download Filemon for Windows NT Source (141KB)
[Image]