event viewer question

[Kid]

hi

I am not sure if I can post ETW (Event Tracer for Windows) question here , I
know ETW can add from driver or app , we can use Windows event viewer too .

I have a question that how can I monitor actions about file create / copy /
move by event viewer or my program , I would like to know the details such as
file copy source and destination .

If I post in the wrong newsgroup , do you know which MS newsgroups I can
post this question . Thank you !

 

[Bill Sanderson]

Take a good look at the sysinternals apps--I think they can monitor this
kind of detail.

 

[Don Burn]

You cannot monitor copy and move since they do not exist at the kernel
level. You can see CREATE, READ, WRITE, CLEANUP, AND CLOSE since this is
roughly the sequence of a copy. Take a look at the sysinternals tools, or
get the WDK and try the minispy sample driver and executable.


--
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply

hi

I am not sure if I can post ETW (Event Tracer for Windows) question here ,
I
know ETW can add from driver or app , we can use Windows event viewer too
.

I have a question that how can I monitor actions about file create / copy
/
move by event viewer or my program , I would like to know the details such
as
file copy source and destination .

If I post in the wrong newsgroup , do you know which MS newsgroups I can
post this question . Thank you !

__________ Information from ESET NOD32 Antivirus, version of virus
signature database 4841 (20100206) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

__________ Information from ESET NOD32 Antivirus, version of virus signature database 4847 (20100208) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com