TraceEvent usage question - monitor close events

Mar 23, 2015 at 6:22 PM
I am trying to find a tool that will help me monitor disk IO events. In particular, when a file is closed so that I know it is available for some extra processing. The FileSystemWatcher tells me when a file has been changed, but it still is probably open and I would rather not poll, if I don't have to.

I found this library through a slog starting with SysInternal's DiskMon, which referenced TraceDmp...

So, is this library capable of doing this kind of monitoring?
Developer
Mar 24, 2015 at 9:15 PM
First, if you are interested in TraceEvent, you should use the Nuget package, as that has the latest code. See http://blogs.msdn.com/b/vancem/archive/2014/03/15/walk-through-getting-started-with-etw-traceevent-nuget-samples-package.aspx, for how to get the samples and the users's guide.

The TraceEvent library can monitor File activity through the Microsoft-Windows-Kernel-File provider however it is not really designed for the same scenario as FileSystemWatcher, as you need to be admin to listen (since you are viewing ALL file system activity, not just from your process/user). Typically you achieve what you want with FileSystemWatcher and a certain amount of polling.
Mar 25, 2015 at 10:23 PM
Vance,

Yes, this looks like what I am wanting (especially considering FSW doesn't tell me when a file is closed--it only reports directory operations basically). Running as admin for this process is not an issue for this process.

I have tried to hunt down some documentation on the Microsoft-Windows-Kernel-File provider, but I can't seem to find any (that describes what the trace data means). For example, what is Irp, FileObject, FileKey, etc. The decoding of IOFlags and InfoClass, etc. Is DirEnum (that only contains the file name) always proceeded with a NameCreate (which only contains the file's path)?

Anyway... Do you know where I can find the docs for Microsoft-Windows-Kernel-File?

Thanks,