Recipe 8.21. Viewing File Activity

Problem

You want to view the file activity on a system.

Solution

Using downloadable software

Open the Sysinternals File Monitor (filemon.exe). It automatically starts logging all file activity when it is opened.

To stop capturing file activity, click the Capture icon (magnifying glass), select File Capture Events from the menu, or type CTRL+E.

To search the captured data, click the Find icon (binoculars), select Edit Find from the menu, or type CTRL+F. The text you enter will be matched against any part of the captured data (index, time, process name, request, and file path).

To filter the captured data so that only the entries that match your filter are displayed, click the Filter icon, select Options Filter/Hightlight from the menu, or type CTRL+L.

If you double-click a particular entry in File Monitor, it will open a Windows Explorer window to the directory containing the target file.

Discussion

Ever hear your hard disks spinning or seen the disk indicator light flashing, but you don't know why? You may not appear to have any applications open or running, but something is still accessing the hard disks. The Sysinternals File Monitor utility lets you see what processes are reading or writing files. It has some robust filter and search capability as well, which is helpful considering the fact that File Monitor can capture thousands of operations in a matter of minutes. Figure 8-2 shows sample output from File Monitor.

Figure 8-2. File Monitor screen