Sign in
 
HomeDashboardLearnSamplesDownloadsSupportCommunity
Dev Center - Desktop > Windows Desktop Development Forums > User Interface development for Windows Desktop > Detecting when file is moved with Windows Explorer

Unanswered Detecting when file is moved with Windows Explorer

    •  
      Sunday, February 28, 2010 10:09 PM
       
       
      Sign In to Vote
      0
      Sign In to Vote
      Hello,

      I need a way to detect when the user moves a file with Windows Explorer. Is there some way to hook into Explorer to be notified of such events?

      __

      In more detail:

      1. my application, www.tabbles.net, offers a tagging filesystem built on top of the ordinary file system. So it needs to be notified when a file is moved (both within the same disk and across multiple disks).

      2. The filesystemwatcher in .NET is no good for that purpose because it only tells you when a file is created, renamed or deleted; there is no "file moved" event to watch. And, if that weren't enough, it is not reliable, whereas I need 100% reliability.

      3. Similarly, a filesystem minifilter, in addition to being difficult to build, would solve the reliability problem but not the other problem (the lack of a moved event). (for that I would have to implement pattern-matching techniques, searching for a deleted-created pattern, to guess whether a file has been moved. This would be computationally expensive and not 100% reliable.)

      4. I am not interested in files moved by applications other than Windows Explorer. The reason is that many applications, when they create files or backup copies, or when they overwrite files, use complex patterns such as create-rename-delete, which I would have to detect and manage in my application.

      __

      For all those reasons, I have come to the conclusion that what I need is to somehow connect to Windows Explorer, not to the filesystem, and there detect the user's move action.

      I would be grateful for any suggestion. Thank you.
       

    All Replies

    • Monday, March 01, 2010 3:29 AM
      Moderator
       
       
      Sign In to Vote
      0
      Sign In to Vote
      Hello

      Shell provides copy hook handler that is called when a folder or printer object is about to be moved, copied, deleted, or renamed. It enables you to approve or veto the operation. However, this handler only works for folder or printer. Does this meet your requirement. 
      Regards,
      Jialiang Ge
      MSDN Subscriber Support in Forum
      If you have any feedback of our support, please contact msdnmg@microsoft.com.
      Please remember to mark the replies as answers if they help and unmark them if they provide no help.
      Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.
       
    • Monday, March 01, 2010 9:19 AM
       
       
      Sign In to Vote
      0
      Sign In to Vote
      I'm afraid it won't work. I need to detect the movement of files too. Thanks anyway.
       
    • Monday, March 01, 2010 9:10 PM
       
       
      Sign In to Vote
      1
      Sign In to Vote
      What about DLL injection into explorer and then using API redirection like Detours to redirect MoveFile/MoveFileEx functions?
       
    • Tuesday, March 02, 2010 7:42 AM
       
       
      Sign In to Vote
      0
      Sign In to Vote
      Thank you, I didn't know that was possible. That's the kind of hint I was looking for. :)

      What makes me hesitant is that I have to also detect the movement of files from one disk to another. What if Explorer does not use MoveFileEx, but a combination of CopyFile and delete? Or if it creates a new file and then copies the old file bit-by-bit? How would I detect that pattern?
       
    • Tuesday, March 02, 2010 1:28 PM
       
       
      Sign In to Vote
      0
      Sign In to Vote
      I guess that is possible, but I don't think they would handle it that way since the MoveFile APIs basically do that combination under the hood.  Actually I would think they probably use the MoveFileWithProgress API to give you more data.  I have done a lot of work with Detours-like technology and Explorer, but it was at a lower level using the NTxxxx file APIs.  You might want to do some research with a tool like API Monitor to see if that can help you determine what Explorer is doing.
       
    • Tuesday, March 02, 2010 3:47 PM
       
       
      Sign In to Vote
      1
      Sign In to Vote

      Based on your description, i feel you need to monitor entire file system  operation which is invloved by windows explorer.  I would say, rather than sticking with file monitoring, go to the driver level, where you can have hold of any IO operation. The best monitor application will suits for this job is a 'RootKit'. Well, its bit complicated and too close to security risks. But believe me, most of security softwares have their own RootKits installed on the machine they run.

      These applications will monitor file system operations, read, write, move, copyto clipboard etc.

      For pattern matching there is a good technology called, 'document finger printing' which is very effective for files which are not binary. Other kind of files you can use Hash value (sha10, MD5).

      Thanks Mike --------Please mark as answer if it is useful----------