But first, a word from our sponsor, O'Reilly & Associates...  
WebBoard, Web conferencing system software from O'Reilly
------------------------------------------------------------------------

Windows NT File Monitor


------------------------------------------------------------------------

Copyright (C) 1996, Mark Russinovich and Bryce Cogswell
FILEMON is a Windows NT GUI/device driver combination that intercepts 
and displays information about all file system activity on a Windows NT 
system. File systems monitored include FAT, HPFS, NTFS, CDFS, network 
redirectors and ram drives. Information displayed includes the request 
type, full pathname of the request target file, return status, and 
additional information specific to the request, such as read/write 
offsets and lengths. Even direct access of drives performed by utilities 
such as FORMAT and CHKDSK are visible to FILEMON. 

Click here to
download NTFMON.ZIP

Also see the excellent Windows 95 File Monitor by Stan Mitchell

Installation and Usage

Running FILEMON is as easy as typing "FILEMON" in the install directory. 
The FILEMON device driver, FILEMON.SYS, is automatically loaded and then 
unloaded when FILEMON exits.
By default, FILEMON monitors all non-removable drives on the system. The 
DRIVES menu indicates which drives are being watched by check-marking 
those drives. The monitoring status of a drive, such as a removable 
drive like a floppy, can be toggled at any time by selecting the drive 
letter in the DRIVES menu. 

Implementation

At startup, the Filemon GUI (filemon.exe) passes to the Filemon device 
driver (filemon.sys) a list of logical drive letters a system has on it. 
The driver determines, via a method similar to the one the NT kernel 
uses, what device object is used to represent the logical drive. This 
method consists of opening the root directory of the drive, obtaining 
the file object from the returned file handle 
(ObReferenceObjectByHandle), and then getting the file object's related 
device object (IoGetRelatedDeviceObject).
Next, Filemon creates a hook device object with IoCreateDevice; it 
attaches this object to the drive's device object, using 
IoAttachDeviceByPointer. This insures that Filemon will see all file 
system requests directed at the drive before the logical drive's file 
system driver sees the request.
When Filemon sees a request (the IO request packet [IRP] is passed to 
Filemon as part of the hook procedure's parameters), it extracts the 
request parameters and registers a completion routine (using 
IoSetCompletionRoutine) for the request so it can view the request's 
return status.
The Filemon GUI periodically performs a DeviceIoControl to the Filemon 
device driver, at which time the drive copies the latest batch of 
request information into a GUI-supplied buffer. 

Reaching Us

Mark can be reached at markr@numega.com and Bryce can be reached at 
cogswell@cs.uoregon.edu. 
------------------------------------------------------------------------

Visit these O'Reilly online areas: 
Our homepage, with product information, feature articles, and more. 
WebSite Central, home of O'Reilly's hot, new, Windows Web server. 
The O'Reilly Windows Center has Win 95 programming information, 
articles, and links. 