File Monitor, File Audit and File I/O Activities Monitor SDK

Download EaseFilter File Monitor Filter Driver SDK Setup File
Download EaseFilter File Monitor Filter Driver SDK Zip File

Develop File Audit Application with File System Filter Driver SDK

EaseFilter file system filter driver is a kernel-mode component that runs as part of the Windows executive above the file system. The EaseFilter file system filter driver can intercept requests targeted at a file system or another file system filter driver. By intercepting the request before it reaches its intended target, the filter driver can extend or replace functionality provided by the original target of the request. The EaseFilter file system filter driver can log, observe, modify, or even prevent the I/O operations for one or more file systems or file system volumes.

file monitor

Monitor File Changed Events

With the EaseFilter File Monitor SDK, you can get the notification when the managed files were changed with below events:

  • File Creation Event: You can get the notification when a new file was created.
  • File Delete Event: you can get the notification when a file was deleted.
  • File Rename Event: You can get the notification when a file was renamed.
  • File Write Event: You can get the notification when a file was written with data.
  • File Security Changed Event: You can get the notification when a file's security was changed.
  • File Information Changed Event: You can get the notification when a file's size, a file's attributes, a file's last write time, a file's creation time, a file's last access time were changed.

Monitor File I/O Activities in Real Time

With the EaseFilter File Monitor SDK, you can monitor file I/O activities on file system level in Real-Time. You can capture file open, file creation, file overwritten, file read, file written, query file information, set file information, query security information, set security information, file rename, file delete, directory browsing and file close I/O requests.

You can create the file access log, you will know who, when, what files were accessed. You can get comprehensive control and visibility over users and data by tracking and monitoring all the user & file activities, permission changes, storage capacity and generate real-time audit reports.

Monitor File Access for Specific Processes or Users

To monitor the file I/O, you can setup multiple file filter rules. In the file filter rule, you can setup what processes or users can monitor the file I/O, you can setup the file filter mask which you can only monitor the specific file's I/O, you can filter the file I/O with the file open options, you can register the file change events or register the specific file I/Os.

Filter rule setting

  • Setup the file filter mask of the filter rule: you can create the file filter mask with the wildcard characters, i.e. c:\test\*.txt, the monitor driver only monitors the text files in folder c:\test.
  • Setup the exclude file filter mask: you can exclude the files from the file filter rule , i.e. *.exe, all the .exe files will be excluded from the filter rule.
  • Setup the include process name: the monitor driver will only monitor the I/Os from the included processes.
  • Setup the exclude process name: the monitor driver will exclude the I/Os from the excluded processes.
  • Setup the include user name: the monitor driver will only monitor the I/Os from the included users.
  • Setup the exclude user name: the monitor driver will exclude the I/Os from the excluded users.
  • Setup the file open filter options : you can monitor the I/Os only the files were opened with the specific option DesiredAccess, Disposition or CreateOptions when they are not 0.
  • Register the file changed events: you can get the notification when the files were changed. The file changed events will be sent only when the file handle was closed.

file changed events

  • Register the specific file I/O events: you can get the notification when the specific file I/O was triggered with your setting. The file I/O events were sent right after the registered I/Os were completed and the file handle was not closed yet.
    • OnPostFileCreate: Fires this event after the file create IO was returned from the file system.
    • OnPostFileRead: Fires this event after the file read IO was returned from the file system.
    • OnPostFileWrite: Fires this event after the file write IO was returned from the file system.
    • OnPostQueryFileSize: Fires this event after the query file size IO was returned from the file system.
    • OnPostQueryFileBasicInfo: Fires this event after the query file basic info IO was returned from the file system.
    • OnPostQueryFileStandardInfo: Fires this event after the query file standard info IO was returned from the file system.
    • OnPostQueryFileNetworkInfo: Fires this event after the query file network info IO was returned from the file system.
    • OnPostQueryFileId: Fires this event after the query file Id IO was returned from the file system.
    • OnPostQueryFileInfo: Fires this event after the query file info IO was returned from the file system.
    • OnPostSetFileSize: Fires this event after the set file size IO was returned from the file system.
    • OnPostSetFileBasicInfo: Fires this event after the set file basic info IO was returned from the file system.
    • OnPostSetFileStandardInfo: Fires this event after the set file standard info IO was returned from the file system.
    • OnPostSetFileNetworkInfo: Fires this event after the set file network info was returned from the file system.
    • OnPostMoveOrRenameFile: Fires this event after the file move or rename IO was returned from the file system.
    • OnPostDeleteFile: Fires this event after the file delete IO was returned from the file system.
    • OnPostSetFileInfo: Fires this event after the set file info IO was returned from the file system.
    • OnPostQueryDirectoryFile: Fires this event after the query directory file info was returned from the file system.
    • OnPostQueryFileSecurity: Fires this event after the query file security IO was returned from the file system.
    • OnPostSetFileSecurity: Fires this event after the set file security IO was returned from the file system.
    • OnPostFileHandleClose: Fires this event after the file handle close IO was returned from the file system.
    • OnPostFileClose: Fires this event after the file close IO was returned from the file system.

file I/O events

File Audit Information

In the file monitor, you can register the file changed events, or register the specific file I/O events. With the file notification event you can get the information as below:

  • User name: the user who accessed the file.
  • Process name and process Id: the process which accessed the file and initiated this I/O request.
  • ThreadId: the thread which accessed the file and initiated this I/O request.
  • I/O Event name: for the file change event, you will know if the file was created, written, renamed, deleted or file information was changed. For file I/O event, you will know the specific I/O names: file open, file create, file read, file write, query or set file information, query or set file security, file close.
  • FileObject: it is similar to file handle concept, every file open, the system I/O manager will generate a unique file object till the file handle was closed.
  • File name: the file name which was associated to this I/O request.
  • File size: the file size of the file which was accessed.
  • File attributes: the file attributes of the file which was accessed.
  • Last write time: the last write time of the file which was accessed.
  • File Create Options: you will know how the file was opened with different options.
  • File I/O data: the read/write data, or query/set file information data.
  • I/O status: the return I/O status, it shows the I/O result if it was return with success, warning or error code.

file audit console

A File Monitor C# Example

The following example creates a filter rule to watch the directory specified at run time. The component is set to watch for all file change in the directory. If a file was changed, the file name, file change type, user name, process name will be printed to the console. The component also is set to watch the file open and file read IO, the IO was triggered, the file open and file read information will be printed to the console.

 
  
using System;
using EaseFilter.FilterControl;

namespace FileMonitorConsole
{
    class Program
    {
        static FilterControl filterControl = new FilterControl();

        static void Main(string[] args)
        {
            string lastError = string.Empty;
            string licenseKey = "Email us to request a trial key: info@easefilter.com";
                
            FilterAPI.FilterType filterType = FilterAPI.FilterType.MONITOR_FILTER;
            int serviceThreads = 5;
            int connectionTimeOut = 10; //seconds

            try
            {
                if (!filterControl.StartFilter(filterType, serviceThreads, connectionTimeOut, licenseKey, ref lastError))
                {
                    Console.WriteLine("Start Filter Service failed with error:" + lastError);
                    return;
                }

                //the watch path can use wildcard to be the file path filter mask.i.e. '*.txt' only monitor text file.
                string watchPath = "c:\\test\\*";

                if (args.Length > 0)
                {
                    watchPath = args[0];
                }

                //create a file monitor filter rule, every filter rule must have the unique watch path. 
                FileFilter fileMonitorFilter = new FileFilter(watchPath);

                //Filter the file change event to monitor all file change events.
                fileMonitorFilter.FileChangeEventFilter = FilterAPI.MonitorFileEvents.NotifyAll;

                //register the file change callback events.
                fileMonitorFilter.NotifyFileWasChanged += NotifyFileChanged;

                //Filter the monitor file IO events
                fileMonitorFilter.MonitorFileIOEventFilter = (ulong)(MonitorFileIOEvents.OnFileOpen | MonitorFileIOEvents.OnFileRead);

                fileMonitorFilter.OnFileOpen += OnFileOpen;
                fileMonitorFilter.OnFileRead += OnFileRead;

                filterControl.AddFilter(fileMonitorFilter);

                if (!filterControl.SendConfigSettingsToFilter(ref lastError))
                {
                    Console.WriteLine("SendConfigSettingsToFilter failed." + lastError);
                    return;
                }

                Console.WriteLine("Start filter service succeeded.");

                // Wait for the user to quit the program.
                Console.WriteLine("Press 'q' to quit the sample.");
                while (Console.Read() != 'q') ;

                filterControl.StopFilter();

            }
            catch (Exception ex)
            {
                Console.WriteLine("Start filter service failed with error:" + ex.Message);
            }

        }

        /// Fires this event when the file was changed.
        static void NotifyFileChanged(object sender, FileChangeEventArgs e)
        {
            Console.WriteLine("NotifyFileChanged:" + e.FileName + ",eventType:" + e.eventType.ToString() 
				+ ",userName:" + e.UserName + ",processName:" + e.ProcessName);
        }

        /// Fires this event after the file was opened, the handle is not closed. 
        static void OnFileOpen(object sender, FileCreateEventArgs e)
        {
            Console.WriteLine("FileOpen:" + e.FileName + ",status:" +  e.IOStatusToString() 
				+ ",userName:" + e.UserName + ",processName:" + e.ProcessName);
        }

        /// Fires this event after the read IO was returned.
        static void OnFileRead(object sender, FileReadEventArgs e)
        {
            Console.WriteLine("FileRead:" + e.FileName + ",offset:" + e.offset + ",readLength:" 
				+ e.returnReadLength + ",userName:" + e.UserName + ",processName:" + e.ProcessName);
        }
    }
}