Detecting file open and close

  • Thread starter Thread starter EliteBadger
  • Start date Start date
E

EliteBadger

Hey,

I've searched around on Google Groups for a while on this topic, and
haven't found anything useful. I use a FileSystemWatcher to catch
filesystem events. I would also like to get an event when a file is
opened and when it is closed. It would also be nice if I could get more
information about the process that owns the file--what its PID is,
whether the file is opened for read sharing, rw sharing, etc. I know
this sort of thing is possible, because SysInternals and Antivirus
softwares do something similar to this. The only question is whether I
can do it in managed code.

If it is possible to do it via the .NET fw, where would I look to find
classes that can provide this functionality? If not, what Win32 API
calls do I need to make to find this information out?

Thanks,
Nathan
 
Hello (e-mail address removed),

See ReadDirectoryChangesW API function in MSDN (http://www.pinvoke.net/default.aspx/kernel32/ReadDirectoryChangesW.html)
If it doesn't help then u need to create hook
Hey,

I've searched around on Google Groups for a while on this topic, and
haven't found anything useful. I use a FileSystemWatcher to catch
filesystem events. I would also like to get an event when a file is
opened and when it is closed. It would also be nice if I could get
more information about the process that owns the file--what its PID
is, whether the file is opened for read sharing, rw sharing, etc. I
know this sort of thing is possible, because SysInternals and
Antivirus softwares do something similar to this. The only question is
whether I can do it in managed code.

If it is possible to do it via the .NET fw, where would I look to find
classes that can provide this functionality? If not, what Win32 API
calls do I need to make to find this information out?

Thanks,
Nathan
Click to expand...
---
WBR,
Michael Nemtsev :: blog: http://spaces.live.com/laflour

"At times one remains faithful to a cause only because its opponents do not
cease to be insipid." (c) Friedrich Nietzsche
 
Michael,

Thanks for the reply. I looked at that API function, but it does not
allow me to detect open or close. Could you maybe give me a hint about
what I need to do to create a hook as you suggested?

Thanks
Nathan
 
Hello (e-mail address removed),

See there http://www.codeproject.com/info/sea...=Search&author=&sd=15+Nov+1999&ed=20+Sep+2006
Michael,

Thanks for the reply. I looked at that API function, but it does not
allow me to detect open or close. Could you maybe give me a hint about
what I need to do to create a hook as you suggested?

Thanks
Nathan
Click to expand...
---
WBR,
Michael Nemtsev :: blog: http://spaces.live.com/laflour

"At times one remains faithful to a cause only because its opponents do not
cease to be insipid." (c) Friedrich Nietzsche
 
All those articles discuss registering hooks for keyboard and mouse
events. The SetWindowsHookEx function does not appear to have a flag
for filesystem events. Or maybe I'm missing something?

Thanks,
Nathan
 
| All those articles discuss registering hooks for keyboard and mouse
| events. The SetWindowsHookEx function does not appear to have a flag
| for filesystem events. Or maybe I'm missing something?
|
| Thanks,
| Nathan
|
| Michael Nemtsev wrote:
| > Hello (e-mail address removed),
| >
| > See there
http://www.codeproject.com/info/sea...=Search&author=&sd=15+Nov+1999&ed=20+Sep+2006
|

You won't be able to get any closer than what's provided by the Win32 API's
(ReadDirectoryChangesW). Even if you throw a Filesystem Filter driver in
the pack, such that you could track the IRP's sent down the device stack,
this filter would have to keep track of the number of OPEN IRP's issued for
each file you want to monitor.

Willy.
 
Thanks for the response, Willy.

OK, so what we have established (I think) is that there is no direct
Win32 API support for what I want to do. However, it is obviously
*possible* to do it, it's just a question of how much effort it would
take.

So that's my question now. How much effort would it take, and what
would the overhead look like? As you suggest, I could create a
filesystem filter driver. I could also try to use some interposition
layer on the calling end to capture file open/close calls made to the
system (the Microsoft Research 'Detours' project is one example). I
could also use the NetFileEnum API call and either via polling or via
some sort of intelligent system of calling it on certain types of
accesses, I could extrapolate the information I want.

Are there any other options?

Thanks
Nathan
 
Back
Top