But first, a word from our sponsor, O'Reilly & Associates... WebBoard, Web conferencing system software from O'Reilly ------------------------------------------------------------------------ Windows NT File Monitor ------------------------------------------------------------------------ Copyright (C) 1996, Mark Russinovich and Bryce Cogswell FILEMON is a Windows NT GUI/device driver combination that intercepts and displays information about all file system activity on a Windows NT system. File systems monitored include FAT, HPFS, NTFS, CDFS, network redirectors and ram drives. Information displayed includes the request type, full pathname of the request target file, return status, and additional information specific to the request, such as read/write offsets and lengths. Even direct access of drives performed by utilities such as FORMAT and CHKDSK are visible to FILEMON. Click here to download NTFMON.ZIP Also see the excellent Windows 95 File Monitor by Stan Mitchell Installation and Usage Running FILEMON is as easy as typing "FILEMON" in the install directory. The FILEMON device driver, FILEMON.SYS, is automatically loaded and then unloaded when FILEMON exits. By default, FILEMON monitors all non-removable drives on the system. The DRIVES menu indicates which drives are being watched by check-marking those drives. The monitoring status of a drive, such as a removable drive like a floppy, can be toggled at any time by selecting the drive letter in the DRIVES menu. Implementation At startup, the Filemon GUI (filemon.exe) passes to the Filemon device driver (filemon.sys) a list of logical drive letters a system has on it. The driver determines, via a method similar to the one the NT kernel uses, what device object is used to represent the logical drive. This method consists of opening the root directory of the drive, obtaining the file object from the returned file handle (ObReferenceObjectByHandle), and then getting the file object's related device object (IoGetRelatedDeviceObject). Next, Filemon creates a hook device object with IoCreateDevice; it attaches this object to the drive's device object, using IoAttachDeviceByPointer. This insures that Filemon will see all file system requests directed at the drive before the logical drive's file system driver sees the request. When Filemon sees a request (the IO request packet [IRP] is passed to Filemon as part of the hook procedure's parameters), it extracts the request parameters and registers a completion routine (using IoSetCompletionRoutine) for the request so it can view the request's return status. The Filemon GUI periodically performs a DeviceIoControl to the Filemon device driver, at which time the drive copies the latest batch of request information into a GUI-supplied buffer. Reaching Us Mark can be reached at markr@numega.com and Bryce can be reached at cogswell@cs.uoregon.edu. ------------------------------------------------------------------------ Visit these O'Reilly online areas: Our homepage, with product information, feature articles, and more. WebSite Central, home of O'Reilly's hot, new, Windows Web server. The O'Reilly Windows Center has Win 95 programming information, articles, and links.