Filemon


Copyright © 1996-2000 Mark Russinovich and Bryce Cogswell
Last Updated November 7, 2000 v4.32
Introduction	Filemon monitors and displays file system activity on a system in real-time. Its advanced capabilities make it a powerful tool for exploring the way Windows works, seeing how applications use the files and DLLs, or tracking down problems in system or application file configurations. Filemon's timestamping feature will show you precisely when every open, read, write or delete, happens, and its status column tells you the outcome. Filemon is so easy to use that you'll be an expert within minutes. It begins monitoring when you start it, and its output window can be saved to a file for off-line viewing. It has full search capability, and if you find that you're getting information overload, simply set up one or more filters. Filemon works on NT 4.0, Windows 2000, Windows 95, Windows 98 and Windows ME.
Sample Screen Shot	This is a screenshot of Filemon watching file system activity
Installation and Use	Simply run the Filemon (filemon.exe) Windows NT/2000 Note: you must have administrative privilege to run Filemon. When Filemon is started for the first time it will monitor all local hard drives. Menus, hot-keys, or toolbar buttons can be used to clear the window, select and deselect monitored drives (Windows NT/2K), save the monitored data to a file, and to filter and search output. As events are printed to the output, they are tagged with a sequence number. If Filemon’s internal buffers are overflowed during extremely heavy activity, this will be reflected with gaps in the sequence number. Use the Filter dialog, which is accessed with a toolbar button or the Edit\|Filter/Highlight menu selection, to select what data will be shown in the list view. The '' wildcard matches arbitrary strings, and the filters are case-insensitive. Only matches shown in the include filter, but that are not excluded with the exclude filter, are displayed. Use ';' to separate multiple strings in a filter (e.g. "filemon;temp"). Windows NT/2000 note:* because of the asynchronous nature of file I/O, its not possible to filter on the result field. For example, if the include filter is "c:\temp", and the exclude filter is "c:\temp\subdir", all references to files and directories under c:\temp, except to those under c:\temp\subdir will be monitored. Wildcards allow for complex pattern matching, making it possible to match specific file accesses by specific applications, for example. The include filter “WinwordWindows” would have Filemon* only show accesses by Microsoft Word to files and directories that include the word “Windows”. Use the highlight filter specify output that you want to have highlighted in the listview output. Select highlighting colors with Edit\|Highlight Colors. Filemon can either timestamp events or show their duration. The Options menu and the clock toolbar button let you toggle between the two modes. The button on the toolbar shows the current mode with a clock or a stopwatch. When showing duration the Time field in the output shows the number of seconds it took for the underlying file system to service particular requests. Each time you exit Filemon it remembers the filters you've configured, position of the window and the widths of the output columns.
Named Pipes and Mail Slots	Starting in version 4.1 Filemon is able to monitor named pipe and mail slot file system activity on Windows NT/2K. Named pipes are commonly used as a communications mechanism in NT/Win2K by core subsystems like the Local Security Authority Subsystem (LSASS), and are used by DCOM. They are also used by network components such as the Browser service. To see named pipe activity with Filemon select Named Pipes in the Drives menu and perform an operation on a shared network resource, or open an application such as Regedt32 that interacts with the security subsystem. Mail slots are much less commonly used. If you find an application that uses mail slots, please let me know.
How Filemon Works	For the Windows 9x driver, the heart of Filemon is in the virtual device driver, Filevxd.vxd. It is dynamically loaded, and in its initialization it installs a file system filter via the VxD service, IFSMGR_InstallFileSystemApiHook, to insert itself onto the call chain of all file system requests. On Windows NT the heart of Filemon is a file system driver that creates and attaches filter device objects to target file system device objects so that Filemon will see all IRPs and FastIO requests directed at drives. When Filemon sees an open, create or close call, it updates an internal hash table that serves as the mapping between internal file handles and file path names. Whenever it sees calls that are handle based, it looks up the handle in the hash table to obtain the full name for display. If a handle-based access references a file opened before Filemon started, Filemon will fail to find the mapping in its hash table and will simply present the handle's value instead. Information on accesses is dumped into an ASCII buffer that is periodically copied up to the GUI for it to print in its listbox.
Related Utilities	Here are some other monitoring tools available at Sysinternals: Regmon - a Registry monitor Tdimon - a TCP/IP monitor Portmon - a serial and parallel port monitor PMon - a process and thread monitor (NT/Win2K) Diskmon - a hard disk monitor (NT/Win2K) DebugView/EE - a debug output monitor
More Information	The following serve as additional sources of information on the Windows 9x file system: The Windows 95/98 DDK "Examining the Windows 95 Layered File System," by Mark Russinovich and Bryce Cogswell, Dr. Dobb's Journal, December 1995 "Systems Programming for Windows 95," by Walter Oney, Microsoft Press, 1996 (a must-have for VxD writers) "Inside the Windows 95 File System," by Stan Mitchell, O'Reilly and Associates, 1996 These are source of information on the Windows NT/2000 file system and/or Filemon: Inside Windows 2000, 3rd Edition by David Solomon and Mark Russinovich, 2000 "Examining The Windows NT File System," by Mark Russinovich and Bryce Cogswell, Dr. Dobb's Journal, Febrary 1997 "Inside NT Utilities", Windows NT Magazine, February 1999. "Windows NT File System Internals,"by Rajeev Nagar, O'Reilly and Associates, 1997
	Filemon Enterprise Edition, the commercial version of Filemon available from Winternals Software, extends the functionality of Filemon with several powerful features, including the ability to monitor remote systems and save output to a log file as the output generates.
In order to help us track its use, please download through the link that represents the operating system on which you will use or mostly use Filemon. Note that the zip files are identical, and Filemon runs on either platform. Download Filemon (x86- 76KB) - you plan on using Filemon on Win9x Download Filemon (x86 - 76KB) - you plan on using Filemon on WinNT Download Filemon (Alpha - 92KB) Download Filemon Plus Source (353KB)