Detecting file open and close

Hey,

I've searched around on Google Groups for a while on this topic, and
haven't found anything useful. I use a FileSystemWatcher to catch
filesystem events. I would also like to get an event when a file is
opened and when it is closed. It would also be nice if I could get more
information about the process that owns the file--what its PID is,
whether the file is opened for read sharing, rw sharing, etc. I know
this sort of thing is possible, because SysInternals and Antivirus
softwares do something similar to this. The only question is whether I
can do it in managed code.

If it is possible to do it via the .NET fw, where would I look to find
classes that can provide this functionality? If not, what Win32 API
calls do I need to make to find this information out?

Thanks,
Nathan

Hello EliteBadger@gmail.com,

See ReadDirectoryChangesW API function in MSDN (http://www.pinvoke.net/default.aspx/...yChangesW.html)
If it doesn't help then u need to create hook

Quote:

Hey,
>
I've searched around on Google Groups for a while on this topic, and
haven't found anything useful. I use a FileSystemWatcher to catch
filesystem events. I would also like to get an event when a file is
opened and when it is closed. It would also be nice if I could get
more information about the process that owns the file--what its PID
is, whether the file is opened for read sharing, rw sharing, etc. I
know this sort of thing is possible, because SysInternals and
Antivirus softwares do something similar to this. The only question is
whether I can do it in managed code.
>
If it is possible to do it via the .NET fw, where would I look to find
classes that can provide this functionality? If not, what Win32 API
calls do I need to make to find this information out?
>
Thanks,
Nathan

---
WBR,
Michael Nemtsev :: blog: http://spaces.live.com/laflour

"At times one remains faithful to a cause only because its opponents do not
cease to be insipid." (c) Friedrich Nietzsche

Michael,

Thanks for the reply. I looked at that API function, but it does not
allow me to detect open or close. Could you maybe give me a hint about
what I need to do to create a hook as you suggested?

Thanks
Nathan

Michael Nemtsev wrote:

Quote:

Hello EliteBadger@gmail.com,
>
See ReadDirectoryChangesW API function in MSDN (http://www.pinvoke.net/default.aspx/...yChangesW.html)
If it doesn't help then u need to create hook
>

Quote:

Hey,

I've searched around on Google Groups for a while on this topic, and
haven't found anything useful. I use a FileSystemWatcher to catch
filesystem events. I would also like to get an event when a file is
opened and when it is closed. It would also be nice if I could get
more information about the process that owns the file--what its PID
is, whether the file is opened for read sharing, rw sharing, etc. I
know this sort of thing is possible, because SysInternals and
Antivirus softwares do something similar to this. The only question is
whether I can do it in managed code.

If it is possible to do it via the .NET fw, where would I look to find
classes that can provide this functionality? If not, what Win32 API
calls do I need to make to find this information out?

Thanks,
Nathan

---
WBR,
Michael Nemtsev :: blog: http://spaces.live.com/laflour
>
"At times one remains faithful to a cause only because its opponents do not
cease to be insipid." (c) Friedrich Nietzsche

Hello EliteBadger@gmail.com,

See there http://www.codeproject.com/info/sear...ed=20+Sep+2006

Quote:

Michael,
>
Thanks for the reply. I looked at that API function, but it does not
allow me to detect open or close. Could you maybe give me a hint about
what I need to do to create a hook as you suggested?
>
Thanks
Nathan
Michael Nemtsev wrote:
>

Quote:

>Hello EliteBadger@gmail.com,
>>
>See ReadDirectoryChangesW API function in MSDN
>(http://www.pinvoke.net/default.aspx/...toryChangesW.h
>tml)
>>
>If it doesn't help then u need to create hook
>>

Quote:

>>Hey,
>>>
>>I've searched around on Google Groups for a while on this topic, and
>>haven't found anything useful. I use a FileSystemWatcher to catch
>>filesystem events. I would also like to get an event when a file is
>>opened and when it is closed. It would also be nice if I could get
>>more information about the process that owns the file--what its PID
>>is, whether the file is opened for read sharing, rw sharing, etc. I
>>know this sort of thing is possible, because SysInternals and
>>Antivirus softwares do something similar to this. The only question
>>is whether I can do it in managed code.
>>>
>>If it is possible to do it via the .NET fw, where would I look to
>>find classes that can provide this functionality? If not, what Win32
>>API calls do I need to make to find this information out?
>>>
>>Thanks,
>>Nathan

>---
>WBR,
>Michael Nemtsev :: blog: http://spaces.live.com/laflour
>"At times one remains faithful to a cause only because its opponents
>do not cease to be insipid." (c) Friedrich Nietzsche
>>

---
WBR,
Michael Nemtsev :: blog: http://spaces.live.com/laflour

"At times one remains faithful to a cause only because its opponents do not
cease to be insipid." (c) Friedrich Nietzsche

Thanks Michael. Those look like they will be helpful.

Nathan

Michael Nemtsev wrote:

Quote:

Hello EliteBadger@gmail.com,
>
See there http://www.codeproject.com/info/sear...ed=20+Sep+2006

All those articles discuss registering hooks for keyboard and mouse
events. The SetWindowsHookEx function does not appear to have a flag
for filesystem events. Or maybe I'm missing something?

Thanks,
Nathan

Michael Nemtsev wrote:

Quote:

Hello EliteBadger@gmail.com,
>
See there http://www.codeproject.com/info/sear...ed=20+Sep+2006

<EliteBadger@gmail.comwrote in message
news:1159296341.711026.90870@m73g2000cwd.googlegro ups.com...
| All those articles discuss registering hooks for keyboard and mouse
| events. The SetWindowsHookEx function does not appear to have a flag
| for filesystem events. Or maybe I'm missing something?
|
| Thanks,
| Nathan
|
| Michael Nemtsev wrote:
| Hello EliteBadger@gmail.com,
| >
| See there
http://www.codeproject.com/info/sear...ed=20+Sep+2006
|

You won't be able to get any closer than what's provided by the Win32 API's
(ReadDirectoryChangesW). Even if you throw a Filesystem Filter driver in
the pack, such that you could track the IRP's sent down the device stack,
this filter would have to keep track of the number of OPEN IRP's issued for
each file you want to monitor.

Willy.

Thanks for the response, Willy.

OK, so what we have established (I think) is that there is no direct
Win32 API support for what I want to do. However, it is obviously
*possible* to do it, it's just a question of how much effort it would
take.

So that's my question now. How much effort would it take, and what
would the overhead look like? As you suggest, I could create a
filesystem filter driver. I could also try to use some interposition
layer on the calling end to capture file open/close calls made to the
system (the Microsoft Research 'Detours' project is one example). I
could also use the NetFileEnum API call and either via polling or via
some sort of intelligent system of calling it on certain types of
accesses, I could extrapolate the information I want.

Are there any other options?

Thanks
Nathan

Quote:

You won't be able to get any closer than what's provided by the Win32 API's
(ReadDirectoryChangesW). Even if you throw a Filesystem Filter driver in
the pack, such that you could track the IRP's sent down the device stack,
this filter would have to keep track of the number of OPEN IRP's issued for
each file you want to monitor.
>
Willy.

Detecting file open and close

re: Detecting file open and close

re: Detecting file open and close

re: Detecting file open and close

re: Detecting file open and close

re: Detecting file open and close

re: Detecting file open and close

re: Detecting file open and close

Similar C# / C Sharp bytes

/bytes/development

/bytes/it

/bytes/about