FileMon
1.1 Overview
FileMon monitors and displays file system activity on a system in real-time. It’s a powerful tool for exploring the way Windows works, seeing how applications use the files and DLLs, or tracking down problems in system or application file configurations. FileMon's timestamping feature will show you precisely when every open, read, write or delete, happens, and its status column tells you the outcome. It begins monitoring when you start it, and its output window can be saved to a file for off-line viewing. It has full search capability, which easily manages the gathered information by the use of filters.
FileMon works on NT 4.0, Windows 2000, Windows XP, Windows XP and Windows Server 2003 64-bit Edition, Windows 2003 Server, Windows 95, Windows 98 and Windows ME.
1.2 Installation and Use
To install, run FileMon (filemon.exe). You must have administrator privilege to run FileMon. When FileMon is started for the first time it will monitor all local hard drives. Menus, hot-keys, or toolbar buttons can be used to clear the window, select and deselect monitored volumes including network volumes (Windows NT/2K/XP), save the monitored data to a file, and to filter and search output.
If you've specified filters, then FileMon will ask you to confirm filters used from the last session each time you start it. To start FileMon without it prompting you specify the /q switch on the command line. When FileMon starts it automatically captures file system activity. To start it with capture disabled use the /o switch on the command-line.
As events are printed to the output, they are tagged with a sequence number. If FileMon’s internal buffers are overflowed during extremely heavy activity, this will be reflected by gas in the sequence number.
Each time you exit FileMon, it remembers the filters you've configured, position of the window and the widths of the output columns.
1.3 Filtering
Use the Filter dialog, which is accessed with a toolbar button, or the Edit > Filter/Highlight menu selection, to select what data will be shown in the list view. The wildcard (*) matches arbitrary strings, and the filters are case-insensitive. Only matches shown in the include filter, but that are not excluded with the exclude filter, are displayed. Use the semi colon (;) to separate multiple strings in a filter (e.g. filemon;temp).
Windows NT/2000 note: because of the asynchronous nature of file I/O, it’s not possible to filter on the result field.
For example, if the include filter is c:\temp, and the exclude filter is c:\temp\subdir, all references to files and directories under c:\temp, except to those under c:\temp\subdir will be monitored.
Wildcards allow for complex pattern matching, making it possible to match specific file accesses by specific applications, for example. The include filter “Winword*Windows” would have FileMon only show accesses by Microsoft Word to files and directories that include the word Windows.
Use the highlight filter to specify output that you want to have highlighted in the listview output. Select highlighting colors with Edit > Highlight Colors.
Additional filter options select or deselect read, write or open operations. In many troubleshooting scenarios only open operations are of interest, for example.
1.3.1 Selecting Volumes (Windows NT/2K/XP/2K3)
The Volumes menu can be used to changes the selection of monitored volumes. Select the Network menu item to monitor accesses to any network resources, including remote shares and UNC path name accesses to remote volumes.
1.3.1 Limiting Output
The History Depth dialog, accessed via toolbar button or the Edit > History menu item, allows you to specify the maximum number of lines that will be remembered in the output window. A depth of zero (0) is used to signify no limit.
1.3.2 Searching the Output
You can search the output window for strings using the Find menu item, or the find toolbar button. You can repeat the search in the forward direction with the F3 key and in reverse with <SHIFT>+<F3>. To start a search at a particular line in the output, select the desired line by clicking on the far left column (the index number). If no line is selected, a new search starts at the first entry in searching down, and at the last entry for searching up.
1.4 Options
FileMon can either timestamp events or show their duration. The Options menu and the clock toolbar button let you toggle between the two modes. The button on the toolbar shows the current mode with a clock or a stopwatch. When showing duration the Time field in the output shows the number of seconds it took for the underlying file system to service particular requests. The Options > Show Milliseconds menu entry lets you add millisecond resolution to times presented when FileMon shows clock times.
You can toggle FileMon to always remain a top window with the Options > Always On Top menu item. In addition, you can toggle FileMon not to scroll the listview via the Options > Auto Scroll menu item or corresponding toolbar button.
1.5 Named Pipes and Mail Slots
Starting in version 4.1 FileMon is able to monitor named pipe and mail slot file system activity on Windows NT/2K. Named pipes are commonly used as a communications mechanism in NT/Win2K by core subsystems like the Local Security Authority Subsystem (LSASS), and are used by DCOM. They are also used by network components such as the Browser service. To see named pipe activity with FileMon select Named Pipes in the Drives menu and perform an operation on a shared network resource, or open an application such as Regedt32 that interacts with the security subsystem.
1.6 How FileMon Works
For the Windows 9x driver, the heart of FileMon is in the virtual device driver: Filevxd.vxd. It is dynamically loaded, and, on initialization, it installs a file system filter via the VxD service, IFSMGR_InstallFileSystemApiHook, to insert itself onto the call chain of all file system requests. On Windows NT the heart of FileMon is a file system driver that creates and attaches filter device objects to target file system device objects so that FileMon will see all IRPs and FastIO requests directed at drives. When FileMon sees an open, create or close call, it updates an internal hash table that serves as the mapping between internal file handles and file path names. Whenever it sees calls that are handle based, it looks up the handle in the hash table to obtain the full name for display. If a handle-based access references a file opened before FileMon started, FileMon will fail to find the mapping in its hash table and will simply present the handle's value instead.
Information on accesses is dumped into an ASCII buffer that is periodically copied up to the GUI for it to print in its listbox.
1.6.1 Download FileMon
http://www.sysinternals.com/ntw2k/source/filemon.shtml
1.6.1 Related Utilities
Here are some other monitoring tools available at Sysinternals:
- Regmon – a Registry monitor
- Tdimon – a TCP/IP monitor
- Portmon – a serial and parallel port monitor
- PMon – a process and thread monitor (NT/Win2K)
- Diskmon – a hard disk monitor (NT/Win2K)
- DebugView – a debug output monitor
1.7 Starting FileMon
Launch FileMon by running FileMon.exe.
1.8 Default Mode vs Advanced Mode
FileMon’s default viewing mode now has a filtering mechanism to remove the activity that is useless in most troubleshooting scenarios and that presents intuitive names for all I/O operations. FASTIO_CHECK_IF_POSSIBLE is filtered out, FASTIO_READ failures aren't shown, and FASTIO_READ's that succeed are reported as "READ" operations. In addition, the default view omits file system activity in the System process, which is the process from which the Memory and Cache Manager's perform background activity, and all Memory Manager paging activity, including that to the system's paging file. The Options > Advanced menu item will satisfy users, such as file system filter driver developers, that want the "raw" view of file system activity shown by previous FileMon versions.
1.9 Formatting Drives (Windows NT)
You can watch drives being formatted using FileMon, however, after a format is complete you must deselect and reselect the drive in order to continue monitoring it.
1.10 Filtering Output in Launch Mode
Use the Filter dialog, which is accessed with a toolbar button or the Options > Filter/Highlight menu selection, to select what data will be shown in the list view. The wildcard (*) matches arbitrary strings, and the filters are case-insensitive. Only matches shown in the include filter, but that are not excluded with the exclude filter, are displayed. Use a semicolon (;) to separate multiple strings in a filter (e.g. *filemon*;*temp*). Because of the asynchronous nature of most file I/O, filtering on the result field is not possible. Refer to section 4.3 of this document for further information on filtering.
Note: The History Depth dialog is accessed through the Options > History menu item path when FileMon is in launch mode.
1.11 Font Selection
Use the Edit > Font menu item to change the font used in the listview.
