File Monitor Solution

February 27, 2025, 3:58 pm / easefilter.full-design.com
Download  EaseFilter File Monitor SDK Setup File
Download  EaseFilter File Monitor SDK Zip File

File Monitor Demo was developed with EaseFilter File Monitor Filter Driver SDK, it demonstrates how to use the EaseFilter File Monitor SDK to monitor the Windows file I/O. The FileMonitor demo tool can monitor the file change and file access in real time, get the notification for all the registered file I/O requests. It can capture the file open, file creation, file change, file read, file written, query file information, set file information, query security information, set security information, file rename, file delete, directory browsing and file close I/O requests. You can log the file I/O information to know who, when, what files were accessed. Here is the FileMonitor demo tool screenshot.

file monitor console

File Monitor Global Settings

  1. The maximum threads of the connection: there is a communication channel between the filter driver and the user mode service, the filter driver will send the file I/O messages to the user mode service via this channel, this is the number of threads to handle the messages in the user mode service.
  2. The maximum connection timeout: the maximum time of the message in filter driver in the communication channel queue waiting for being processed.
  3. The volume attached or detached: enable the setting to get the notification when there is new volume was attached, or there is existing attached volume was detached.

Filter Rule Settings

The filter rule is a file name based file control policy, the filter driver will watch the file I/O based on the file name with below orders, the filter driver will only monitor or control the files which match the filter conditions. To monitor the file I/O, you need to create at least one file filter rule.

filter rule

  1. The include file filter mask: a file filter rule is a file name with wildcards characters. Every filter rule has an unique file name filter mask, it can’t be duplicated with other filter rules. Only the file I/O will be filtered if the file name matches the include file filter mask.
  2. The exclude file filter mask: if it is not empty,  the file I/O will be excluded if the file name matches the exclude file filter mask.
  3. The include process names: if it is not empty, then only the file I/O which was initiated by the process which in the include process name list will be filtered.
  4. The include process Ids: if it is not empty, then only the file I/O which was initiated by the process which in the include process Id list will be filtered.
  5. The exclude process names: if it is not empty,  the file I/O will be excluded if the file I/O was initiated by the process which in the exclude process name list.
  6. The exclude process Ids: if it is not empty,  the file I/O will be excluded if the file I/O was initiated by the process which in the exclude process Id list.
  7. The include user names: if it is not empty, then only the file I/O which was initiated by the user name which in the include user name list will be filtered.
  8. The exclude user names: if it is not empty,  the file I/O will be excluded if the file I/O was initiated by the user which in the exclude user name list.
  9. The CreateFile filter option: if it is not zero, then only the file I/O which opened with the same DesiredAccess, Disposition and CreateOptions will be filtered.

Register the Notification of the File Changed or File Read Events

The file changed or file read events for monitor filter, it will be fired if the event was triggered after the file handle was closed.

  1. NotifyFileWasCreated:  if this flag is enabled, a new file creation event will be sent when a new file was created in the matched filter rule.
  2. NotifyFileWasDeleted:if this flag is enabled, a file deleted event will be sent when a file was deleted in the matched filter rule.
  3. NotifyFileWasRenamed:if this flag is enabled, a file renamed event will be sent when a file was renamed in the matched filter rule.
  4. NotifyFileWasWritten: if this flag is enabled, a file written event will be sent when a file was written with data in the matched filter rule.
  5. NotifyFileSecurityWasChanged: if this flag is enabled, a file security changed event will be sent when a file’s security was changed in the matched filter rule.
  6. NotifyFileInfoWasChanged: if this flag is enabled, a file information changed event will be sent when a file’s information was changed in the matched filter rule.
  7. NotifyFileWasRead: if this flag is enabled, a file read event will be sent when a file’s data was read in the matched filter rule.

Register the Notification of the pecific File I/O

The specific file I/O notification event will be sent right after the specific file I/O was returned from the file system with the registered file I/O in the filter rule, the file handle was not closed yet.

  1. OnFileOpen: the event will be fired if a file was opened, this file I/O can be triggered if an existing file was opened by the API “CreateFile”.
  2. OnFileCreate: the event will be fired if a new file was created, this file I/O can be triggered if a new file was created by the API “CreateFile”.
  3. OnFileRead: the event will be fired if a file was read, this file I/O can be triggered if a file was read by the API “ReadFile”.
  4. OnFileWrite: the event will be fired if a file was written, this file I/O can be triggered if a file was written by the API “WriteFile”.
  5. OnQueryFileSize: the event will be fired if a file’s information was queried with the information class “FileEndOfFileInformation”.
  6. OnQueryFileBasicInfo: the event will be fired if a file’s information was queried with the information class “FileBasicInformation“.
  7. OnQueryFileStandardInfo: the event will be fired if a file’s information was queried with the information class “FileStandardInformation“.
  8. OnQueryFileNetworkInfo: the event will be fired if a file’s information was queried with the information class “FileNetworkOpenInformation“.
  9. OnQueryFileId: the event will be fired if a file’s information was queried with the information class “FileInternalInformation“.
  10. OnQueryFileInfo: the event will be fired if a file’s information was queried and the query information class is not the one in 5,6,7,8,9 or not registered for 5, 6, 7, 8, 9 events.
  11. OnSetFileSize: the event will be fired if a file’s information was set with the information class “FileEndOfFileInformation”.
  12. OnSetFileBasicInfo: the event will be fired if a file’s information was set with the information class “FileBasicInformation“.
  13. OnSetFileStandardInfo: the event will be fired if a file’s information was set with the information class “FileStandardInformation“.
  14. OnSetFileNetworkInfo: the event will be fired if a file’s information was set with the information class “FileNetworkOpenInformation“.
  15. OnMoveOrRenameFile: the event will be fired if a file’s information was set with the information class “FileRenameInformation” or “FileRenameInformationEx”.
  16. OnDeleteFile: the event will be fired if a file’s information was set with the information class “FileDispositionInformation” or “FileDispositionInformationEx”.
  17. OnSetFileInfo: the event will be fired if a file’s information was set and the set information class is not the one in 11,12,13,14,15,16 or not registered for 11,12,13,14,15,16 events.
  18. OnQueryDirectoryFile: the event will be fired if a directory was browsed with API “FindFirstFile” and “FindNextFile”.
  19. OnQueryFileSecurity: the event will be fired if a file’s security information was queried with API “GetSecurityInfo”.
  20. OnSetFileSecurity: the event will be fired if a file’s security information was set with API “SetSecurityInfo”.
  21. OnFileHandleClose: the event will be fired if a file’s handle was closed with API “CloseFile“.
  22. OnFileClose: the event will be fired if all references to the file handle was closed.

The common information of the file I/O event:

  1. IoStatus : this is the IO completion status, either STATUS_SUCCESS if the requested operation was completed successfully or an informational, warning, or error STATUS_XXX value, only effect on post IO.
  2. TransactionTime: the transaction time in UTC of this IO request.
  3. FileObject: the fileObject is an unique Id for the file I/O from open till the close.
  4. ProcessId: the process Id who initiates the IO.
  5. ProcessName: the process name who initiates the IO.
  6. ThreadId: the thread Id who initiates the IO.
  7. UserName: the user name who initiates the IO.
  8. FileName: the file name of the file IO.
  9. FileSize: the file size of the file IO.
  10. CreationTime : the creation time in UTC of the file.
  11. LastWriteTime: the last write time in UTC of the file.
  12. FileAttributes: the file attributes of the file IO.
  13. CreateOptions:the file create options of the file IO was opened.
  14. SharedAccess:  the SharedAccess for file open, please reference CreateFile windows API.
  15. IsRemoteAccess: it indicates if the file open was from the SMB network.
  16. RemoteIp: the IP address of the remote computer who is opening the file. This feature is enabled only for Win7 or later OS.

File Monitor C# Example

The following example creates a filter rule to watch the directory specified at run time. The component is set to watch for all file change in the directory. If a file was changed, the file name, file change type, user name, process name will be printed to the console. The component also is set to watch the file open and file read IO, the IO was triggered, the file open and file read information will be printed to the console.


using System;
using EaseFilter.FilterControl;

namespace FileMonitorConsole
{
    class Program
    {
        static FilterControl filterControl = new FilterControl();

        static void Main(string[] args)
        {
            string lastError = string.Empty;
            string licenseKey = "Email us to request a trial key: [email protected]";
                
            FilterAPI.FilterType filterType = FilterAPI.FilterType.MONITOR_FILTER;
            int serviceThreads = 5;
            int connectionTimeOut = 10; //seconds

            try
            {
                if (!filterControl.StartFilter(filterType, serviceThreads, connectionTimeOut, licenseKey, ref lastError))
                {
                    Console.WriteLine("Start Filter Service failed with error:" + lastError);
                    return;
                }

                //the watch path can use wildcard to be the file path filter mask.i.e. '*.txt' only monitor text file.
                string watchPath = "c:\test\*";

                if (args.Length > 0)
                {
                    watchPath = args[0];
                }

                //create a file monitor filter rule, every filter rule must have the unique watch path. 
                FileFilter fileMonitorFilter = new FileFilter(watchPath);

                //Filter the file change event to monitor all file change events.
                fileMonitorFilter.FileChangeEventFilter = FilterAPI.MonitorFileEvents.NotifyAll;

                //register the file change callback events.
                fileMonitorFilter.NotifyFileWasChanged += NotifyFileChanged;

                //Filter the monitor file IO events
                fileMonitorFilter.MonitorFileIOEventFilter = (ulong)(MonitorFileIOEvents.OnFileOpen | MonitorFileIOEvents.OnFileRead);

                fileMonitorFilter.OnFileOpen += OnFileOpen;
                fileMonitorFilter.OnFileRead += OnFileRead;

                filterControl.AddFilter(fileMonitorFilter);

                if (!filterControl.SendConfigSettingsToFilter(ref lastError))
                {
                    Console.WriteLine("SendConfigSettingsToFilter failed." + lastError);
                    return;
                }

                Console.WriteLine("Start filter service succeeded.");

                // Wait for the user to quit the program.
                Console.WriteLine("Press 'q' to quit the sample.");
                while (Console.Read() != 'q') ;

                filterControl.StopFilter();

            }
            catch (Exception ex)
            {
                Console.WriteLine("Start filter service failed with error:" + ex.Message);
            }

        }

        /// Fires this event when the file was changed.
        static void NotifyFileChanged(object sender, FileChangeEventArgs e)
        {
            Console.WriteLine("NotifyFileChanged:" + e.FileName + ",eventType:" + e.eventType.ToString() 
				+ ",userName:" + e.UserName + ",processName:" + e.ProcessName);
        }

        /// Fires this event after the file was opened, the handle is not closed. 
        static void OnFileOpen(object sender, FileCreateEventArgs e)
        {
            Console.WriteLine("FileOpen:" + e.FileName + ",status:" +  e.IOStatusToString() 
				+ ",userName:" + e.UserName + ",processName:" + e.ProcessName);
        }

        /// Fires this event after the read IO was returned.
        static void OnFileRead(object sender, FileReadEventArgs e)
        {
            Console.WriteLine("FileRead:" + e.FileName + ",offset:" + e.offset + ",readLength:" 
				+ e.returnReadLength + ",userName:" + e.UserName + ",processName:" + e.ProcessName);
        }
    }
}
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

Comments on “File Monitor Solution”

Leave a Reply

Gravatar