chrisrobinson
asked on
FileSnoop
I have MS VC++ 5.0 & I am trying to write a "FileSnoop" program which records system file accesses such as Open, Read, Write, etc. I have looked at FileMon and it's very elegant, but how can I do it without using a vxd?
I am sorry unrelated question but is this the chris robinson from tacoma WA?
Without writing vXD : See
* FindFirstChangeNotificatio
* FindNextChangeNotification
* FindCloseChangeNotificatio
* FindFirstChangeNotificatio
* FindNextChangeNotification
* FindCloseChangeNotificatio
To receive ALL the file access events you need to write a device driver. For the sample driver look at the FileMon utility by Mark Russinovich.
For Windows NT: http://www.sysinternals.com/ntfilmon.htm
For Windows 95: http://www.sysinternals.com/filemon.htm
For Windows NT: http://www.sysinternals.com/ntfilmon.htm
For Windows 95: http://www.sysinternals.com/filemon.htm
ASKER
I don't see how a FindFirstChangeNotificatio
Also, how do I answer Booth882 - I can't find his email address.
Also, how do I answer Booth882 - I can't find his email address.
To Ans Booth882 by Posting a comment
e-mail addresses not available from Ex-Ex unless Booth882 tells you in his own comment
FindxxxChangeNotification only pick up _changes_ to the file system, this is limitation of these functions
e-mail addresses not available from Ex-Ex unless Booth882 tells you in his own comment
FindxxxChangeNotification only pick up _changes_ to the file system, this is limitation of these functions
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the info. I guess the VxD solution is best after all!
Now I must get the Windows 98 DDK.
For Booth882: No I'm not from Tacoma, WA - I'm from Maidenhead, Berkshire, England.
Now I must get the Windows 98 DDK.
For Booth882: No I'm not from Tacoma, WA - I'm from Maidenhead, Berkshire, England.
ASKER