EaseFilter File System File I/O Monitor

Download EaseFilter File Monitor Filter Driver SDK Setup File
Download EaseFilter File Monitor Filter Driver SDK Zip File
Understand EaseFilter Filter Driver SDK Programming

Develop File Monitor Application With File System Filter Driver SDK

EaseFilter file system filter driver is a kernel-mode component that runs as part of the Windows executive above the file system. The EaseFilter file system filter driver can intercept requests targeted at a file system or another file system filter driver. By intercepting the request before it reaches its intended target, the filter driver can extend or replace functionality provided by the original target of the request. The EaseFilter file system filter driver can log, observe, modify, or even prevent the I/O operations for one or more file systems or file system volumes.

Monitor File Activities in Real Time with EaseFilter File Monitor

The EaseFilter file I/O monitor can audit file access and change in Windows in Real-Time. With the EaseFilter file monitor you can monitor the file activities on file system level, capture file open, create, overwrite, read, write, query file information, set file information, query security information, set security information, file rename, file delete, directory browsing and file close I/O requests.You can create the file access log, you will know who, when, what files were accessed. You can get comprehensive control and visibility over users and data by tracking and monitoring all the user & file activities, permission changes, storage capacity and generate real-time audit reports.

Monitor file I/O activities with flexible filter rule configuration settings

To start the filter driver, first you need to add the filter rule in the settings, then the filter driver will know which file to be managed.

1. Flexible filter rules with wildcard characters

To manage the files, add the include file filter mask with wildcard characters, if you want to have exception for thi filter mask, then add the exclude file filter mask, or let it empty.You can have multiple filter rules, every include file filter mask must be unique, every include file filter mask can have multiple exclude file filter masks.

When the users acess the files, the filter driver will check the filter rules, if the file matches the include file filter mask of the file rule, then it will check if there are exclude file filter masks in this filter rule, if the file matches the exclude file filter mask, then this file won't be managed, or this file will be managed.

2. Protected processes

To prevent the processes being terminated, you can add the process Id here, remove it if you want to unprotect it.

3. Include processes

If you only want to manage the files from the specific processes, then add the process Id here, or let it empty, it will include all the processes.

4. Exclude processes

If you don't want to manage the files from the specific processes, then add the process Id here, or let it empty, it won't exclude any process.

5. Monitor specific file I/O in real time

To select the I/O requests you want to monitor, so the console will display the I/O information when the filter driver capture the I/O request.

5. Notify the file change with the register events

If you don't want to dispaly so many I/O requests, for the quick setting, you can only display the file change I/O requests when the file change events were selected.

6. Log the file I/O request filter messages

Check the "Log filter message" check box, then the filter I/O request information will be logged to a file.

EaseFilter File Monitor Demo

After start the monitor, in the console, you will see the I/O information as below:

Audit file access with the return file access status:

1. Time : the transaction time fo the I/O operation.

2. User name: the user who access the file, if it is from remote server, it will add the extra message "the file access from remote server".

3. Process name and process Id: the process which access the file and initiate this I/O request.

4. ThreadId: the thread which access the file and initiate this I/O request.

5. I/O request name: the I/O request name.

6. FileObject: it is similar to file handle concept, every file open, the system I/O manager will gernate a unique file object till the file handle was closed.

6. File name: the file name which was associated to this I/O request.

7. File size: the file size of the file which was accessed..

8. File attributes: the file attributes of the file which was accessed.

9. Last write time: the last write time of the file which was accessed.

10. Return status: the return I/O status, it shows the I/O result if it was return with success, warning or error code.

11. Description: the description shows the extra detail information of the I/O request. a. file was deleted, b. file was renamed, c. new file was created. d. the query data information.

EaseFilter File Monitor Examples in C#

The following example creates a filter rule to watch the directory specified at run time. The component is set to watch for all file change in the directory. If a file was changed, the file name, file change type, user name, process name will be printed to the console. The component also is set to watch the file open and file read IO, the IO was triggered, the file open and file read information will be printed to the console.

 
  
using System;
using EaseFilter.FilterControl;

namespace FileMonitorConsole
{
    class Program
    {
        static FilterControl filterControl = new FilterControl();

        static void Main(string[] args)
        {
            string lastError = string.Empty;
            string licenseKey = "Email us to request a trial key: info@easefilter.com";
                
            FilterAPI.FilterType filterType = FilterAPI.FilterType.MONITOR_FILTER;
            int serviceThreads = 5;
            int connectionTimeOut = 10; //seconds

            try
            {
                if (!filterControl.StartFilter(filterType, serviceThreads, connectionTimeOut, licenseKey, ref lastError))
                {
                    Console.WriteLine("Start Filter Service failed with error:" + lastError);
                    return;
                }

                //the watch path can use wildcard to be the file path filter mask.i.e. '*.txt' only monitor text file.
                string watchPath = "c:\\test\\*";

                if (args.Length > 0)
                {
                    watchPath = args[0];
                }

                //create a file monitor filter rule, every filter rule must have the unique watch path. 
                FileFilter fileMonitorFilter = new FileFilter(watchPath);

                //Filter the file change event to monitor all file change events.
                fileMonitorFilter.FileChangeEventFilter = FilterAPI.MonitorFileEvents.NotifyAll;

                //register the file change callback events.
                fileMonitorFilter.NotifyFileWasChanged += NotifyFileChanged;

                //Filter the monitor file IO events
                fileMonitorFilter.MonitorFileIOEventFilter = (ulong)(MonitorFileIOEvents.OnFileOpen | MonitorFileIOEvents.OnFileRead);

                fileMonitorFilter.OnFileOpen += OnFileOpen;
                fileMonitorFilter.OnFileRead += OnFileRead;

                filterControl.AddFilter(fileMonitorFilter);

                if (!filterControl.SendConfigSettingsToFilter(ref lastError))
                {
                    Console.WriteLine("SendConfigSettingsToFilter failed." + lastError);
                    return;
                }

                Console.WriteLine("Start filter service succeeded.");

                // Wait for the user to quit the program.
                Console.WriteLine("Press 'q' to quit the sample.");
                while (Console.Read() != 'q') ;

                filterControl.StopFilter();

            }
            catch (Exception ex)
            {
                Console.WriteLine("Start filter service failed with error:" + ex.Message);
            }

        }

        /// Fires this event when the file was changed.
        static void NotifyFileChanged(object sender, FileChangeEventArgs e)
        {
            Console.WriteLine("NotifyFileChanged:" + e.FileName + ",eventType:" + e.eventType.ToString() 
				+ ",userName:" + e.UserName + ",processName:" + e.ProcessName);
        }

        /// Fires this event after the file was opened, the handle is not closed. 
        static void OnFileOpen(object sender, FileCreateEventArgs e)
        {
            Console.WriteLine("FileOpen:" + e.FileName + ",status:" +  e.IOStatusToString() 
				+ ",userName:" + e.UserName + ",processName:" + e.ProcessName);
        }

        /// Fires this event after the read IO was returned.
        static void OnFileRead(object sender, FileReadEventArgs e)
        {
            Console.WriteLine("FileRead:" + e.FileName + ",offset:" + e.offset + ",readLength:" 
				+ e.returnReadLength + ",userName:" + e.UserName + ",processName:" + e.ProcessName);
        }
    }
}


About EaseFilter Inc.

EaseFilter Inc. is a company who specializes in windows file system filter driver development. It can provide architect, implement and test file system filter drivers for a wide range of functionalities. It also can offer several levels of assistance to meet your specific needs: Provide consulting service for your existing file system filter driver; Customize the SDK to meet your requirement; Create your own filter driver with SDK source code.