[Image] Copyright © 1996-97 Mark Russinovich and Bryce Cogswell last updated March 3, 1997 NTFilemon - File System Monitor V2.0 Introduction NTFilemon is a Windows NT device driver/GUI combination for NT 3.51 and NT 4.0 that together log and display all file system activity on a Windows NT system. The device driver is a type of driver known as a filter driver. It layers itself above the file system drivers so that it can see I/O requests pass down to, and return from, file systems such as NTFS, FASTFAT, CDFS, NWRDR, RAM drives and any other type of file system driver that has an associated drive letter. Version 2.0 includes some minor bug fixes, further improved code, and advanced output filtering capabilities. Installation and Installing NTFilemon is as easy as unzipping it and Use typing, "ntfilmon." The GUI dynamically loads the driver (based on code from the instdrv sample in the Windows NT DDK), which starts filtering all non-removable drives. The menus can be used to set up process and path filters, toggle on and off the filtering of specific drives, and also to disable event capturing, control the scrolling of the listview, and to save the listview contents to an ASCII file. NTFilemon V2.0 allows you to set filters on processes that are logged, as well as paths. Both process and path filters take expressions similar to what the command prompt takes: you can specify names with '*' representing wild cards. The "Path Include" filter represents path names that will be monitored and the "Path Exclude" filter represents path names that will not be monitored. Where there is overlap, Path Exclude overrides. Note that the filters are intrepreted in a case-*in*sensitive manner. For example, if you do not want to see paging file activity you could specify "*pagefile*" as the "Path Exclude" filter. If you only want to see activity to the c:\temp directory, set "c:\temp*" as the Path Include filter. If you set both of these filters and a paging file is in C:\temp, activity to the paging file would not be logged whereas activity to the other files and directories in c:\temp would be. By default, the filters are set up to watch all file system activity. The process filter is "*", the Path Include filter is "*", and the Path Exclude filter is empty (""). Sample Screen Shot This is a screenshot of NTFilemon filtering drives. More Information Unfortunately, there is not that much good published information on the Windows NT file system. The best sources of information are ntddk.h in the Windows NT DDK, and Helen Custer's Inside Windows NT. For more detailed information on how NTFilemon works, see: * "Examining The Windows NT File System," by Mark Russinovich and Bryce Cogswell, Dr. Dobb's Journal, Febrary 1997 If you need a custom filter driver or file system, Open Systems Resources, Inc., may be able to help out. They specialize in custom NT drivers and file systems. ---------------------------------------------------------------------------- Download NTFilemon (36KB) Download NTFilemon Source (113KB) [Image]