In our project we need to track write-access to certain files on the whole system. I figgured out that ETW (Event Trace 4 Windows) could help us doing that.
I got the TraceEvent lib to track those system events.
It turned out out that the file events only contain an integer representation of the file itself. The kernel parser returns it as "FileKey". There is also an "FileObject" property.
The documentation says that one of both must be mapped to names retrieved by other events containing a file name. I tried this, but it seems that i only get very few of those file names. The TraceEvent library itself uses a similar mapping and also doesn't retrieve all of those names.
Is there any way to retrieve the name of a certain FileObject manually from the system (without bcl)?
- Edited by Vittel Tuesday, September 27, 2011 8:32 AM removed broken link
I found a project in CodePlex close to your purpose:TraceEvent
More information, you can refer to MSDN document:
Paul Zhou [MSFT]
MSDN Community Support | Feedback to us
Get or Request Code Sample from Microsoft
Please remember to mark the replies as answers if they help and unmark them if they provide no help.
I'm already using the libary you mentioned. It is where i got those issues with. There is no way to lookup the FileKey and/or FileObject properties of the FileIoWrite events.
Now i don't know how i can retrieve the related file names.
In some explaining text (found here) there are mentioned file-detail events. But i dumped pretty much all events of the system and couldn't find others than FileIoCreate. But the FileObject proerty there does not match any FileIoWrite events.