6:[["$","$Le",null,{}],["$","div",null,{"className":"min-h-screen bg-gray-100 p-6","children":[["$","$Lf",null,{}],["$","script",null,{"type":"application/ld+json","dangerouslySetInnerHTML":{"__html":"{\"@context\":\"https://schema.org\",\"@type\":\"QAPage\",\"mainEntity\":{\"@type\":\"Question\",\"name\":\"Monitoring IO like Sysinternals' ProcMon\",\"text\":\"

How does the Process Monitor from Sysinternals monitor file IO activity like it does? If you enable the advanced information, you can see that calls that were previously shown as CreateFile are now shown as IRP_MJ_CREATE which suggests that it hooks some rather low level stuff. Does anyone know exactly what it hooks/how it works?

\\n\",\"author\":{\"@type\":\"Person\",\"name\":\"John Zane\"},\"upvoteCount\":3,\"answerCount\":1,\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"

Perhaps your answer is with this SO post

\\n\",\"author\":{\"@type\":\"Person\",\"name\":\"Hannes de Jager\"},\"upvoteCount\":2}}}"}}],["$","div",null,{"className":"bg-white shadow-md rounded-lg p-6 mb-6 relative","children":[["$","div",null,{"className":"absolute top-4 right-4 flex flex-wrap space-x-2","children":[["$","span","filesystems",{"className":"bg-blue-600 text-white text-sm px-3 py-1 rounded-full","children":["$","$L10",null,{"href":"/discussion/tag/filesystems/1","children":"filesystems"}]}],["$","span","io",{"className":"bg-blue-600 text-white text-sm px-3 py-1 rounded-full","children":["$","$L10",null,{"href":"/discussion/tag/io/1","children":"io"}]}],["$","span","monitoring",{"className":"bg-blue-600 text-white text-sm px-3 py-1 rounded-full","children":["$","$L10",null,{"href":"/discussion/tag/monitoring/1","children":"monitoring"}]}],["$","span","procmon",{"className":"bg-blue-600 text-white text-sm px-3 py-1 rounded-full","children":["$","$L10",null,{"href":"/discussion/tag/procmon/1","children":"procmon"}]}]]}],["$","div",null,{"className":"flex items-center mb-4","children":[["$","img",null,{"src":"https://www.gravatar.com/avatar/4e8c4db28960bb3cff9b60451e9e3782?s=256&d=identicon&r=PG","alt":"John Zane","className":"w-16 h-16 rounded-full border"}],["$","div",null,{"className":"ml-4","children":[["$","a",null,{"href":"https://stackoverflow.com/users/538627/john-zane","target":"_blank","rel":"noopener noreferrer","className":"text-lg font-semibold text-blue-600 hover:underline","children":"John Zane"}],["$","p",null,{"className":"text-sm text-gray-500","children":["Reputation: ",888]}]]}]]}],["$","h1",null,{"className":"text-2xl font-bold text-gray-800 mb-4","children":"Monitoring IO like Sysinternals' ProcMon"}],["$","p",null,{"className":"text-gray-700 mt-4","dangerouslySetInnerHTML":{"__html":"

\n"}}],["$","div",null,{"className":"text-gray-600 text-sm mt-4","children":[["$","p",null,{"children":["Upvotes: ",3]}],["$","p",null,{"children":["Views: ",3528]}]]}]]}],["$","div",null,{"className":"container mx-auto","children":[["$","h2",null,{"className":"text-2xl font-semibold text-gray-800 mb-6","children":["Answers (",1,")"]}],[["$","div","4958216",{"className":"bg-white shadow-md rounded-lg p-6 mb-6","children":[["$","div",null,{"className":"flex items-center mb-4","children":[["$","img",null,{"src":"https://www.gravatar.com/avatar/cc8ae49cb2ee9881b47785fd38d0a93d?s=256&d=identicon&r=PG","alt":"Hannes de Jager","className":"w-12 h-12 rounded-full border"}],["$","div",null,{"className":"ml-4","children":[["$","a",null,{"href":"https://stackoverflow.com/users/45390/hannes-de-jager","target":"_blank","rel":"noopener noreferrer","className":"text-lg font-semibold text-blue-600 hover:underline","children":"Hannes de Jager"}],["$","p",null,{"className":"text-sm text-gray-500","children":["Reputation: ",2923]}]]}]]}],["$","p",null,{"className":"text-gray-700 mb-4","dangerouslySetInnerHTML":{"__html":"

Perhaps your answer is with this SO post

\n"}}],["$","div",null,{"className":"text-gray-600 text-sm","children":["$","p",null,{"children":["Upvotes: ",2]}]}]]}]]]}],["$","div",null,{"className":"bg-white shadow-md rounded-lg p-6 mt-6","children":[["$","h2",null,{"className":"text-2xl font-semibold text-gray-800 mb-4","children":"Related Questions"}],["$","ul",null,{"className":"list-disc list-inside","children":[["$","li","324258",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/324258","className":"text-blue-600 hover:underline","children":"Is there an equivalent to the .Net FileSystemWatcher in the Linux world?"}]}],["$","li","2528355",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/2528355","className":"text-blue-600 hover:underline","children":"Monitor files similar to System Internal's/Microsoft's FileMon/Process Monitor"}]}],["$","li","17099312",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/17099312","className":"text-blue-600 hover:underline","children":"Monitoring Windows system Read/Write operations by process?"}]}],["$","li","8046788",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/8046788","className":"text-blue-600 hover:underline","children":"C# - How to monitor a process' file read/write operations?"}]}],["$","li","7686470",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/7686470","className":"text-blue-600 hover:underline","children":"Tool for IO analysis?"}]}],["$","li","4832732",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/4832732","className":"text-blue-600 hover:underline","children":"How to measure characteristics of file (hard-disk) I/O?"}]}],["$","li","3971180",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/3971180","className":"text-blue-600 hover:underline","children":"How to monitor process' IO activity using C#?"}]}],["$","li","2878999",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/2878999","className":"text-blue-600 hover:underline","children":"Disk IO profiler for existing applications"}]}],["$","li","2625833",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/2625833","className":"text-blue-600 hover:underline","children":"Monitor disk activity programmatically (Windows)"}]}],["$","li","2625711",{"className":"mb-2","children":["$","$L10",null,{"href":"/discussion/solution/2625711","className":"text-blue-600 hover:underline","children":"How can I monitor disk access for a certain file?"}]}]]}]]}]]}],["$","$L11",null,{}],["$","$L12",null,{}],["$","$L13",null,{}],["$","$L14",null,{}],["$","$L15",null,{}]]

Monitoring IO like Sysinternals&#39; ProcMon

Answers (1)

Related Questions

Monitoring IO like Sysinternals' ProcMon