using sysinternals process monitor to monitor file activity ...
I need to monitor the activity on one file and I want to see how often a service on the server reads the file.
Using a filter for that one particular file and I can see many file opens/closes ...
I figure the first open is just to get rights, properties, and lock the file, but how do I detect that the contents were actually read ?
Thanks.
Using a filter for that one particular file and I can see many file opens/closes ...
I figure the first open is just to get rights, properties, and lock the file, but how do I detect that the contents were actually read ?
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you see IRP calls you have switched on advanced logging, which you should only do in rare cases.
CreateFile indeed means "open handle", that's correct. You should see some more calls usually, but it looks like what you see is just one kind of existence check, otherwise you would see a file attribute check at least.
Best to try out on a large file, e.g. a zip file, to get familiar with the different events logged.
CreateFile indeed means "open handle", that's correct. You should see some more calls usually, but it looks like what you see is just one kind of existence check, otherwise you would see a file attribute check at least.
Best to try out on a large file, e.g. a zip file, to get familiar with the different events logged.
ASKER
"IRP", I haven't enabled any logging, could this be the antivirus watching the disk ?
ASKER
here is what I see opening a test file, didn't copy the 50+ explorer events.
8:46:27.4366549 AM NOTEPAD.EXE 5212 CreateFile C:\Projects\PerformMonitor
8:46:27.4367008 AM NOTEPAD.EXE 5212 CloseFile C:\Projects\PerformMonitor
8:46:27.4367104 AM NOTEPAD.EXE 5212 IRP_MJ_CLOSE C:\Projects\PerformMonitor
8:46:27.4371452 AM NOTEPAD.EXE 5212 CreateFile C:\Projects\PerformMonitor
8:46:27.4536083 AM NOTEPAD.EXE 5212 CloseFile C:\Projects\PerformMonitor
8:46:27.4536208 AM NOTEPAD.EXE 5212 IRP_MJ_CLOSE C:\Projects\PerformMonitor
8:46:27.4366549 AM NOTEPAD.EXE 5212 CreateFile C:\Projects\PerformMonitor
8:46:27.4367008 AM NOTEPAD.EXE 5212 CloseFile C:\Projects\PerformMonitor
8:46:27.4367104 AM NOTEPAD.EXE 5212 IRP_MJ_CLOSE C:\Projects\PerformMonitor
8:46:27.4371452 AM NOTEPAD.EXE 5212 CreateFile C:\Projects\PerformMonitor
8:46:27.4536083 AM NOTEPAD.EXE 5212 CloseFile C:\Projects\PerformMonitor
8:46:27.4536208 AM NOTEPAD.EXE 5212 IRP_MJ_CLOSE C:\Projects\PerformMonitor
As said, IRP is displayed only if you have Filter » Enable Advanced Output active. Don't, unless you really have to know about all the internal calls made to the corresponding API.
Notepad is special in its way how it opens files, so you should not use it for test. For example notepad does not lock the open file - you can rename, deleted, whatever.
So please focus on Operation = ReadFile and the corresponding process name. When performing a capture running more than several minutes, make sure to have Filter » Drop Filtered Events ticked to only keep the filter data in memory.
Notepad is special in its way how it opens files, so you should not use it for test. For example notepad does not lock the open file - you can rename, deleted, whatever.
So please focus on Operation = ReadFile and the corresponding process name. When performing a capture running more than several minutes, make sure to have Filter » Drop Filtered Events ticked to only keep the filter data in memory.
ASKER