FileMonitor

FileMon, shown in Figure A-3, is a real-time file system activity monitor. FileMon displays the time of every open, read, write, or delete file system event, the process that initiated the event, the type of event, the full path to the system file, and the status outcome for each file system event. In addition, FileMon contains an “Other” column that can display file size, file attributes, and other event-specific information.

Figure A-3

Simply execute the File Monitor program file (filemon.exe) and FileMon will immediately begin capturing file system events. You can specify fixed drives, removable drives, read-write drives, network drives, mail slots, and even named pipes. Once you’ve selected the volume type(s) of interest, you can further filter the output for content.

FileMon is very similar to RegMon. Like RegMon, menu items and toolbar buttons can be used to toggle on and off monitoring, disable or filter event capturing, control the scrolling of the main window, and save the contents of the main window to an ASCII file.

FileMon also has RegMon’s capability to go to a specific event location. Simply double-click the event (or use the Explorer Jump toolbar button or the Edit Explorer Jump menu option) and FileMon will open an Explorer window to the file referenced in the event.

Also like RegMon, if you stop scrolling, select an entry from the process of interest, right-click the entry, and select Include Process, then FileMon will only show file system events initiated by that process. Again, this is a great way to determine what your process, or a process under investigation, is doing.