Monitoring certain system calls done by a process

Question

I would like to be able to monitor certain system calls made by a process, primarily file I/O calls. On Linux I can probably get away using strace with suitable parameters, but how can I do this on Windows?

I'm primarily interested in running a process and figuring out which files it has read and written.

EDIT: I want to do this programmatically from another process. I'm aware of ProcessMonitor, but I would like to receive the data in a form which I can import into another program for further analysis.

EDIT: If I narrow down my requirements even further, it is probably enough to be able to monitor calls to CreateFile(). I'm really only interested in what files are opened, and if they are opened for read/write or just read. Another requirement which I didn't really state is that speed is fairly important; I was planning on doing this for things like compiling a C++-file, and pulling up a full GUI which generates a 20MB logfile will have prohibitive overhead.

EDIT: It would also be nice if it did not require administrative privileges.

Answer 1

There are several options on Windows.

Windows Performance Toolkit can be used to enable tracing of various system events, including file I/O, and includes tools for processing and viewing these events. You can use xperf to begin trace variously classes of events and save to an ETL file that you can then process or view using the same tools later.

Process Monitor from SysInternals is another, very easy to use, option, and enables you to quickly see all file and registry accesses any process on the system is doing. http://blogs.msdn.com/carloc/archive/2008/10/31/how-to-automate-process-monitor.aspx also shows how to run Process Monitor in an automated fashion.

If you'd like to do this completely programmatically, you can use the ETW functions (StartTrace, EnableTrace, etc.) to snap file I/O events and save to an ETL file. Sample code here.

Answer 2

On windows, you can use process monitor to monitor process activity (io and registry). I guess this fits your need if you are not really want to know the system calls.

And you can use winapioverride32 to monitor api calls.

Answer 3

Maybe FileMon?

There is also NtTrace, similar to strace.

Answer 4

Another Windows API tracing tool: logexts.dll (part of the Debugging Tools for Windows), which can be run from inside WinDbg/ntsd/cdb or through a standalone logger.exe program.

Answer 5

API Monitor v2 should do what you're looking for. You can enable the "File Management" category under the API Capture Filter to capture all file I/O, of if you're just interested in CreateFile, you can monitor just CreateFileA/CreateFileW.

Once you've capture the API calls (including parameters, flags etc), you can copy-paste the data into an Excel spreadsheet and use it for further analysis.

You can run API Monitor without administrative privileges. Just download the Standalone version that comes in a ZIP file (both 32-bit and 64-bit versions)

You can view screenshots and download API Monitor v2 from http://www.rohitab.com/apimonitor/

Answer 6

How did nobody mention strace? Example output:

open(".", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY|O_CLOEXEC) = 3
fstat64(3, {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
fcntl64(3, F_GETFD)                     = 0x1 (flags FD_CLOEXEC)
getdents64(3, /* 18 entries */, 4096)   = 496
getdents64(3, /* 0 entries */, 4096)    = 0
close(3)                                = 0
fstat64(1, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f2c000
write(1, "autofs\nbackups\ncache\nflexlm\ngames"..., 86autofsA