I am trying to write a simple program, preferably in C, that will watch a given directory. Whenever a process accesses that directory, I just want to print out the name of that process. It seems simple, but I am coming up short for solutions on MSDN. Does anyone know which library calls I will need for this, or any helpful advice? I have considered repeatedly querying for what processes have handles on the given directory and just watching for additions to that list.This approach just seems very intensive and I am hoping there is an easier way. Thanks.
+1
A:
There is no supported way to do this from user mode. You can use the FindFirstChangeNotification API to tell when a file or directory has changed, but that doesn't tell you who did it. You might be able to hook some things to obtain this information... but that is of course not supported.
If you can use a driver, you can use Event Tracing for Windows for this information. This is what Sysinternals ProcMon uses. But installation of a driver is a very invasive process, bugs in your driver cause BSODs, and installation of a driver requires administrative rights. Something to keep in mind.
Billy ONeal
2010-04-13 17:18:24
Could you give me more information on what I would need to hook?
Brendan Salt
2010-04-13 17:50:35
Yes, also, FindFirstChangeNotification and [ReadDirectoryChangesW](http://msdn.microsoft.com/en-us/library/aa365465%28VS.85%29.aspx) also delays reporting of access events up to 1 day for WinXP, and up to 1 hour on Vista+, to save performance.
clyfe
2010-06-09 08:31:15
+1
A:
I'm not sure if there's an easier way, but one way is to use a file system filter driver. Or easier a file system minifilter driver.
You can filter, log, track, control, ... all IO.
Brian R. Bondy
2010-04-14 05:37:17