Download EaseFilter File Monitor Library Setup File Download EaseFilter File Monitor Library Zip File
File I/O activities monitor
File System Monitor Filter Driver SDK can monitor the file system activities on the fly. With file system monitor filter you can monitor the file activities on file system level, capture file open, create, overwrite, read, write, query file information, set file information, query security information, set security information, file rename, file delete, directory browsing and file close I/O requests. Create your own Continuous Data Protection (CDP) software to log the file update information, write information with offset and length in real time. Audit your file content, you can intercept any file system call, analyze the content and log it. Create Access Logs, you will know who, when, what files were accessed. Journal the file update information. This control may be based on any file parameters, such as its location, type, size, etc.
A file system filter driver intercepts requests targeted at a file system or another file system filter driver. By intercepting the request before it reaches its intended target, the filter driver can extend or replace functionality provided by the original target of the request.To develop file systems and file system filter drivers, use the Windows Driver Kit (WDK),which is provided by Microsoft. Even with the resources available in the Windows Driver Kit (WDK) developing file systems is certainly a challenge. To simplify your development and to provide you with a robust and well-tested file system filter driver that works with all versions and patch releases of the Windows operating systems supported by Microsoft, EaseFilter Inc. offers the file system filter driver SDK which provides a complete, modular environment for building active file system filters in your application.
EaseFilter file system monitor filter driver SDK ( software development kit) provides you with an easy way to develop the windows file system filter driver which can implement software for continuous data protection, file audit, log file access and file journaling.
With the file system monitor filter driver, you don’t need any kernel mode development experience, you can develop the file system filter driver with C++, C#, Visual Basic .NET, Delphi or even Java.
With the file system monitor filter driver, it can monitor the file system activities on the fly, can monitor the file activities at the file system level, capture file open, create, overwrite, read, write, query file information, set file information, query security information, set security information, file rename, file delete, directory browsing and file close I/O requests. You can create file access logs so you know who, when, what files were accessed.
The EaseFilter file I/O monitor can audit file access and change in Windows in Real-Time. With the EaseFilter file monitor you can monitor the file activities on file system level, capture file open, create, overwrite, read, write, query file information, set file information, query security information, set security information, file rename, file delete, directory browsing and file close I/O requests.You can create the file access log, you will know who, when, what files were accessed. You can get comprehensive control and visibility over users and data by tracking and monitoring all the user & file activities, permission changes, storage capacity and generate real-time audit reports.
Configure the tool to monitor the files
To start the filter driver, first you need to add the filter rule in the settings, then the filter driver will know which file to be managed.
1. Add filter rule
To manage the files, add the include file filter mask with wild card characters, if you want to have exception for thi filter mask, then add the exclude file filter mask, or let it empty.
You can have multiple filter rules, every include file filter mask must be unique, every include file filter mask can have multiple exclude file filter masks.
When the users acess the files, the filter driver will check the filter rules, if the file matches the include file filter mask of the file rule, then it will check if there are exclude file filter masks in this filter rule, if the file matches the exclude file filter mask, then this file won’t be managed, or this file will be managed.
2. Protected processes
To prevent the processes being terminated, you can add the process Id here, remove it if you want to unprotect it.
3. Include processes
If you only want to manage the files from the specific processes, then add the process Id here, or let it empty, it will include all the processes.
4. Exclude processes
If you don’t want to manage the files from the specific processes, then add the process Id here, or let it empty, it won’t exclude any process.
5. Monitor the I/O requests
To select the I/O requests you want to monitor, so the console will display the I/O information when the filter driver capture the I/O request.
5. Display the file change events only
If you don’t want to dispaly so many I/O requests, for the quick setting, you can only display the file change I/O requests when the file change events were selected.
6. Log the file I/O request filter messages
Check the “Log filter message” check box, then the filter I/O request information will be logged to a file.
After start the monitor, in the console, you will see the I/O information as below:
From the console, you can see these information:
1. Time : the transaction time fo the I/O operation.
2. User name: the user who access the file, if it is from remote server, it will add the extra message “the file access from remote server”.
3. Process name and process Id: the process which access the file and initiate this I/O request.
4. ThreadId: the thread which access the file and initiate this I/O request.
5. I/O request name: the I/O request name.
6. FileObject: it is similar to file handle concept, every file open, the system I/O manager will gernate a unique file object till the file handle was closed.
6. File name: the file name which was associated to this I/O request.
7. File size: the file size of the file which was accessed..
8. File attributes: the file attributes of the file which was accessed.
9. Last write time: the last write time of the file which was accessed.
10. Return status: the return I/O status, it shows the I/O result if it was return with success, warning or error code.
11. Description: the description shows the extra detail information of the I/O request. a. file was deleted, b. file was renamed, c. new file was created. d. the query data information.
- Monitor the file I/O events, get the notification of the new file creation, file was written, file was renamed, file was deleted, file security was changed, to know who ( user name and process name ) made those I/Os.
- Monitor the specific file I/O requests, get the notification to know the file open options ( DesiredAccess, ShareMode, CreationDisposition), to know the read or write offset and length, to know what file information ( file size, file creation time, change time, file attributes) was queried or set.