File Monitor, File Audit and File I/O Activities Monitor SDK

EaseFilter File I/O Monitor

EaseFilter File Monitor SDK allows you to develop file audit and file monitor Windows application, to monitor the file change and file access in real time, intercept the file I/O requests, you will know who, when and what files were accessed, you can monitor the file activities on file system level.

EaseFilter File Monitor SDK is a file system filter driver, a kernel-mode component that runs as part of the Windows executive above the file system. The EaseFilter file system filter driver can intercept requests targeted at a file system or another file system filter driver. By intercepting the request before it reaches its intended target, the filter driver can extend or replace functionality provided by the original target of the request. The EaseFilter file system filter driver can log, observe, modify, or even prevent the I/O operations for one or more file systems or file system volumes.

file monitor

Monitor File Changed Events

With the EaseFilter File Monitor SDK, you can get the notification when the managed files were changed with below events:

Monitor File I/O Activities in Real Time

With the EaseFilter File Monitor SDK, you can monitor file I/O activities on file system level in Real-Time. You can capture file open, file creation, file overwritten, file read, file written, query file information, set file information, query security information, set security information, file rename, file delete, directory browsing and file close I/O requests.

You can create the file access log, you will know who, when, what files were accessed. You can get comprehensive control and visibility over users and data by tracking and monitoring all the user & file activities, permission changes, storage capacity and generate real-time audit reports.

Monitor File Access for Specific Processes or Users

To monitor the file I/O, you can setup multiple file filter rules. In the file filter rule, you can setup what processes or users can monitor the file I/O, you can setup the file filter mask which you can only monitor the specific file's I/O, you can filter the file I/O with the file open options, you can register the file change events or register the specific file I/Os.

Filter rule setting

file changed events

file I/O events

File Audit Information

In the file monitor, you can register the file changed events, or register the specific file I/O events. With the file notification event you can get the information as below:

file audit console

A File Monitor C# Example

The following example creates a filter rule to watch the directory specified at run time. The component is set to watch for all file change in the directory. If a file was changed, the file name, file change type, user name, process name will be printed to the console. The component also is set to watch the file open and file read IO, the IO was triggered, the file open and file read information will be printed to the console.

using System;
using EaseFilter.FilterControl;

namespace FileMonitorConsole
    class Program
        static FilterControl filterControl = new FilterControl();

        static void Main(string[] args)
            string lastError = string.Empty;
            string licenseKey = "Email us to request a trial key:";
            FilterAPI.FilterType filterType = FilterAPI.FilterType.MONITOR_FILTER;
            int serviceThreads = 5;
            int connectionTimeOut = 10; //seconds

                if (!filterControl.StartFilter(filterType, serviceThreads, connectionTimeOut, licenseKey, ref lastError))
                    Console.WriteLine("Start Filter Service failed with error:" + lastError);

                //the watch path can use wildcard to be the file path filter mask.i.e. '*.txt' only monitor text file.
                string watchPath = "c:\\test\\*";

                if (args.Length > 0)
                    watchPath = args[0];

                //create a file monitor filter rule, every filter rule must have the unique watch path. 
                FileFilter fileMonitorFilter = new FileFilter(watchPath);

                //Filter the file change event to monitor all file change events.
                fileMonitorFilter.FileChangeEventFilter = FilterAPI.MonitorFileEvents.NotifyAll;

                //register the file change callback events.
                fileMonitorFilter.NotifyFileWasChanged += NotifyFileChanged;

                //Filter the monitor file IO events
                fileMonitorFilter.MonitorFileIOEventFilter = (ulong)(MonitorFileIOEvents.OnFileOpen | MonitorFileIOEvents.OnFileRead);

                fileMonitorFilter.OnFileOpen += OnFileOpen;
                fileMonitorFilter.OnFileRead += OnFileRead;


                if (!filterControl.SendConfigSettingsToFilter(ref lastError))
                    Console.WriteLine("SendConfigSettingsToFilter failed." + lastError);

                Console.WriteLine("Start filter service succeeded.");

                // Wait for the user to quit the program.
                Console.WriteLine("Press 'q' to quit the sample.");
                while (Console.Read() != 'q') ;


            catch (Exception ex)
                Console.WriteLine("Start filter service failed with error:" + ex.Message);


        /// Fires this event when the file was changed.
        static void NotifyFileChanged(object sender, FileChangeEventArgs e)
            Console.WriteLine("NotifyFileChanged:" + e.FileName + ",eventType:" + e.eventType.ToString() 
				+ ",userName:" + e.UserName + ",processName:" + e.ProcessName);

        /// Fires this event after the file was opened, the handle is not closed. 
        static void OnFileOpen(object sender, FileCreateEventArgs e)
            Console.WriteLine("FileOpen:" + e.FileName + ",status:" +  e.IOStatusToString() 
				+ ",userName:" + e.UserName + ",processName:" + e.ProcessName);

        /// Fires this event after the read IO was returned.
        static void OnFileRead(object sender, FileReadEventArgs e)
            Console.WriteLine("FileRead:" + e.FileName + ",offset:" + e.offset + ",readLength:" 
				+ e.returnReadLength + ",userName:" + e.UserName + ",processName:" + e.ProcessName);