📄 filemon.shtml
字号:
nature of file I/O, its not possible to filter
on the result field. </p>
<p> For example, if the include filter is "c:\temp",
and the exclude filter is "c:\temp\subdir",
all references to files and directories under
c:\temp, except to those under c:\temp\subdir
will be monitored. </p>
<p>Wildcards allow for complex pattern matching,
making it possible to match specific file accesses
by specific applications, for example. The include
filter “Winword*Windows” would have
<i>Filemon</i> only show accesses by Microsoft
Word to files and directories that include the
word “Windows”.</p>
<p>Use the highlight filter specify output that
you want to have highlighted in the listview output.
Select highlighting colors with Edit|Highlight
Colors. </p>
<p><em>Filemon</em> can either timestamp events
or show their duration. The Options menu and the
clock toolbar button let you toggle between the
two modes. The button on the toolbar shows the
current mode with a clock or a stopwatch. When
showing duration the Time field in the output
shows the number of seconds it took for the underlying
file system to service particular requests.</p>
<p>Each time you exit <em>Filemon</em> it remembers
the filters you've configured, position of the
window and the widths of the output columns.
</td>
</tr>
<tr>
<td height="40" colspan="3" valign="middle"><span class='sectionheader'>Named Pipes and Mail Slots
</span></td>
</tr>
<tr>
<td colspan="3" valign="TOP">
<p>Starting in version 4.1 <i>Filemon</i> is able
to monitor named pipe and mail slot file system
activity on Windows NT/2K. Named pipes are commonly
used as a communications mechanism in NT/Win2K
by core subsystems like the Local Security Authority
Subsystem (LSASS), and are used by DCOM. They
are also used by network components such as the
Browser service. To see named pipe activity with
<i>Filemon</i> select Named Pipes in the Drives
menu and perform an operation on a shared network
resource, or open an application such as Regedt32
that interacts with the security subsystem.<br>
<br>
Mail slots are much less commonly used. If you
find an application that uses mail slots, please
let me know.
</td>
</tr>
<tr>
<td colspan="3" height="40" valign="middle"><span class='sectionheader'>How Filemon Works
</span></td>
</tr>
<tr>
<td valign="TOP" colspan="3" align="left"> For the
Windows 9x driver, the heart of <i>Filemon </i>is
in the virtual device driver, Filevxd.vxd. It is
dynamically loaded, and in its initialization it
installs a file system filter via the VxD service,
<b>IFSMGR_InstallFileSystemApiHook</b>, to insert
itself onto the call chain of all file system requests.
On Windows NT the heart of <em>Filemon</em> is a
file system driver that creates and attaches filter
device objects to target file system device objects
so that <em>Filemon</em> will see all IRPs and FastIO
requests directed at drives.
<p>When <i>Filemon </i>sees an open, create or close
call, it updates an internal hash table that serves
as the mapping between internal file handles and
file path names. Whenever it sees calls that are
handle based, it looks up the handle in the hash
table to obtain the full name for display. If
a handle-based access references a file opened
before <i>Filemon </i>started, <i>Filemon </i>will
fail to find the mapping in its hash table and
will simply present the handle's value instead.
</p>
<p>Information on accesses is dumped into an ASCII
buffer that is periodically copied up to the GUI
for it to print in its listbox.
</td>
</tr>
<tr>
<td colspan="3" height="40" valign="middle"><span class='sectionheader'>Related
Utilities</span></td>
</tr>
<tr>
<td valign="TOP" colspan="3" align="left"> <font color="#000000">Here
are some other monitoring tools available at Sysinternals:</font>
<ul>
<li><font color="#000000"><a href="../../ntw2k/source/regmon.shtml">Regmon</a>
- a Registry monitor</font></li>
<li><font color="#000000"><a href="../../ntw2k/freeware/tdimon.shtml">Tdimon</a>
- a TCP/IP monitor</font></li>
<li><a href="../../ntw2k/freeware/portmon.shtml">Portmon</a>
- a serial and parallel port monitor</li>
<li><a href="../../ntw2k/freeware/pmon.shtml">PMon</a>
- a process and thread monitor (NT/Win2K)</li>
<li><a href="../../ntw2k/freeware/diskmon.shtml">Diskmon</a>
- a hard disk monitor (NT/Win2K)</li>
<li><a href="../../ntw2k/freeware/debugview.shtml">DebugView</a>
- a debug output monitor<font face="arial"></font></li>
</ul>
</td>
</tr>
<tr>
<td colspan="3" height="40" valign="middle"><span class='sectionheader'>More Information
</span></td>
</tr>
<tr>
<td valign="TOP" colspan="3" align="left"> The following
serve as additional sources of information on the
Windows 9x file system:
<ul>
<li>The Windows 95/98 DDK </li>
<li>"Examining the Windows 95 Layered File
System," by Mark Russinovich and Bryce
Cogswell, Dr. Dobb's Journal, December 1995
</li>
<li><a
href="../../othresources.shtml#books">"Systems Programming for Windows 95,"</a>
by Walter Oney, Microsoft Press, 1996 (a must-have
for VxD writers)</li>
<li><a
href="../../othresources.shtml#books">"Inside the Windows 95 File System,"</a>
by Stan Mitchell, O'Reilly and Associates, 1996</li>
</ul>
<p>These are source of information on the Windows
NT/2000 file system and/or Filemon:</p>
<ul>
<li><a href="../../insidew2k.shtml">Inside Windows
2000, 3rd Edition</a> by David Solomon and Mark
Russinovich, 2000</li>
<li>"Examining The Windows NT File System,"
by Mark Russinovich and Bryce Cogswell, Dr.
Dobb's Journal, Febrary 1997 </li>
<li>"<a
href="http://www.ntmag.com">Inside NT Utilities</a>", Windows NT Magazine,
February 1999. </li>
<li><a
href="../../othresources.shtml#books">"Windows NT File System Internals,"</a>by
Rajeev Nagar, O'Reilly and Associates, 1997</li>
</ul>
</td>
</tr>
<tr>
<td colspan="3" height="49" valign="middle"><a href="http://www.winternals.com"><img src="../../images/WinProd.gif" width="87" height="29" border="0"></a></td>
</tr>
<tr>
<td valign="TOP" colspan="3" align="left">
<p><i>Filemon Enterprise Edition</i>, the commercial
version of <i>Filemon</i> available from <a href="http://www.winternals.com">Winternals
Software</a>, extends the functionality of <i>Filemon</i>
with several powerful features, including the
ability to monitor remote systems and save output
to a log file as the output generates.</p>
<p> </p>
</td>
</tr>
<tr>
<td colspan="3" height="40" valign="middle" align="center">
<p><strong>In order to help us track its use, please
download through the link that represents the
operating system on which you will use or mostly
use </strong><em><strong>Filemon. </strong></em><strong><br>
Note that the zip files are identical, and </strong><em><strong>Filemon</strong></em><strong>
runs on either platform.</strong></p>
<p><a href="../../files/FILEMON.ZIP"><b>Download Filemon
(x86- 76KB) - you plan on using Filemon on Win9x</b></a></p>
<p><a href="../../files/NTFILMON.ZIP"><b>Download
Filemon (x86 - 76KB) - you plan on using Filemon
on WinNT/2K/XP</b></a></p>
<p><b><a href="../../files/filemon64.zip">Download
Filemon (XP 64-bit Edition/IA64 -146KB )</a></b></p>
<p><a href="../../files/FILEAXP.ZIP"><b>Download Filemon
(Alpha - 92KB)</b></a></p>
<p><a href="../../files/FILESRC.ZIP"><b>Download
Filemon Plus Source (702KB)</b></a></p>
<a href="#top"><b>Back to Top</b></a> </td>
</tr>
</table>
</td>
</tr>
</table>
</TD>
</TR>
</TABLE>
<!-- #EndEditable --></td>
</tr>
</table>
</td>
</tr>
</table>
</body>
<!-- #EndTemplate --></html>
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -