[Image][WUGNET Shareware Pick] Copyright © 1998 Mark Russinovich and Bryce Cogswell Last Updated November 16, 1998 v4.0 ------------------------------------------------------------------------ Introduction Filemon is a GUI/device driver combination that monitors and displays all file system activity on a system. It has advanced filtering and search capabilities that make it a powerful tool for exploring the way Windows works, seeing how applications use the files and DLLs, or tracking down problems in system or application configurations. . Version 4.0 unifies previous NT and Win9x-specific versions of Filemon into a common interface. Enhancements to the device drivers, and the addition of UI features (always-on-top, listview tool-tips) also mark this major version update. Filemon works on NT 3.51, 4.0, 5.0 (Win2K), Windows 95 and Windows 98. Sample Screen This is a screenshot of Filemon watching file system Shot activity Installation and Simply run the Filemon GUI (filemon.exe) from the Use same directory that the drivers (filemon.sys and filemon.vxd) reside in. Windows NT: Note that it must be located on a non-network drive and that you must have administrative privilege to run Filemon. When Filemon is started for the first time it will monitor all local hard drives. Menus, hot-keys, or toolbar buttons can be used to clear the window, select and deselect monitored drives (Windows NT), save the monitored data to a file, and to filter and search output. As events are printed to the output, they are tagged with a sequence number. If Filemon’s internal buffers are overflowed during extremely heavy activity, this will be reflected with gaps in the sequence number. Filemon allows you to set filters on processes that are logged, as well as paths. Both process and path filters take expressions similar to what the command prompt takes: you can specify names with '*' representing wild cards. The "Path Include" filter represents path names that will be monitored and the "Path Exclude" filter represents path names that will not be monitored. Where there is overlap, Path Exclude overrides. Note that the filters are intrepreted in a case-*in*sensitive manner and that you can specify multiple filter strings by separating them with the ';' character. By default, the filters are set up to watch all file system activity. For example, if you do not want to see paging file activity you could specify "*pagefile*" as the "Path Exclude" filter. If you only want to see activity to the c:\temp and c:\winnt directories, set "c:\temp*;c:\winnt*" as the Path Include filter. If you set both of these filters and a paging file is in C:\temp, activity to the paging file would not be logged whereas activity to the other files and directories in c:\temp would be. Filemon can either timestamp events or show their duration. The Events menu and the clock toolbar button let you toggle between the two modes. The button on the toolbar shows the current mode with a clock or a stopwatch. When showing duration the Time field in the output shows the number of seconds it took for the underlying file system to service particular requests. Each time you exit Filemon it remembers the filters you've configured, position of the window and the widths of the output columns. How Filemon Works For the Windows 95 driver, the heart of Filemon is in the virtual device driver, Filevxd.vxd. It is dynamically loaded, and in its initialization it installs a file system filter via the VxD service, IFSMGR_InstallFileSystemApiHook, to insert itself onto the call chain of all file system requests. On Windows NT the heart is a file system driver driver that creates and attaches filter device objects to target file system device objects so that Filemon will see all IRPs and FastIO requests directed at drives. When Filemon sees an open, create or close call, it updates an internal hash table that serves as the mapping between internal file handles and file path names. Whenever it sees calls that are handle based, it looks up the handle in the hash table to obtain the full name for display. If a handle-based access references a file opened before Filemon started, Filemon will fail to find the mapping in it hash table and will simply present the handle's value instead. Information on accesses is dumped into an ASCII buffer that is periodically copied up to the GUI for it to print in its listbox. More Information The following serve as additional sources of information on the Windows 95 file system: * The Windows 95 DDK * "Examining the Windows 95 Layered File System," by Mark Russinovich and Bryce Cogswell, Dr. Dobb's Journal, December 1995 * "System Programming for Windows 95," by Walter Oney, Microsoft Press, 1996 (a must have for VxD writers) * "Inside the Windows 95 File System," by Stan Mitchell, O'Reilly and Associates, 1996 These are source of information on the Windows NT/2000 file system: * "Examining The Windows NT File System," by Mark Russinovich and Bryce Cogswell, Dr. Dobb's Journal, Febrary 1997 * "Windows NT File System Internals," by Rajeev Nagar, O'Reilly and Associates, 1997 ------------------------------------------------------------------------ In order to help us track its use, please download through the link that represents the operating system on which you will use or mostly use Filemon. Note that the zip files are identical, and Filemon runs on either platform. Download Filemon (x86- 64KB) - you plan on using Filemon on Win9x Download Filemon (x86 - 64KB) - you plan on using Filemon on WinNT Download Filemon (Alpha - 92KB) Download Filemon Plus Source (313KB) [Image]