In our project we need to track write-access to certain files on the whole system. I figgured out that ETW (Event Trace 4 Windows) could help us doing that.
I got the TraceEvent lib to track those system events.
It turned out out that the file events only contain an integer representation of the file itself. The kernel parser returns it as "FileKey". There is also an "FileObject" property.
The documentation says that one of both must be mapped to names retrieved by other events containing a file name. I tried this, but it seems that i only get very few of those file names. The TraceEvent library itself uses a similar mapping and
also doesn't retrieve all of those names.
Is there any way to retrieve the name of a certain FileObject manually from the system (without bcl)?
Edited byVittelTuesday, September 27, 2011 8:32 AMremoved broken link
I'm already using the libary you mentioned. It is where i got those issues with. There is no way to lookup the FileKey and/or FileObject properties of the FileIoWrite events.
Now i don't know how i can retrieve the related file names.
In some explaining text (found
here) there are mentioned file-detail events. But i dumped pretty much all events of the system and couldn't find others than FileIoCreate. But the FileObject proerty there does not match any FileIoWrite events.