Trace file creation or changes as they happen

[Harry Putnam]

I've spent some time combing the web for a tool which can keep watch
on part or all of the filesystem, reporting any changes that occur as
they occur.

I find lots of snapshot type tools, but they don't work in real time.
And many are not designed to be aimed at less than a whole disk.

I found `snapper3' which can be aimed at a directory tree, and it
seems pretty good but still not realtime.

I just assumed something like that would be sort of common but
apparently not. The things I've found that claim to do this appear to
be professional level tools that are part of larger suites or the
like.

Anyone here that can speak from experience about both a well designed
snapshot type tool and a tool that can report file changes as they
happen or nearly so?

 

[Ramesh, MS-MVP]

Harry,

Have you tried FileMon from Sysinternals.com?

 

[Harry Putnam]

Harry,

Have you tried FileMon from Sysinternals.com?

No, I hadn't tried that but I see it isn't possible to aim it at less
than a whole drive, which in my opinion is just tooo much data to be
of much use, short of employing other tools to do that.

It doesn't give file sizes in normal terminology either.

That site seems not to have a `snapshot' tool either.

Thanks for the lead. It is a nice tool to immediately see file
creation happening.

 

[Harry Putnam]

Harry,

Have you tried FileMon from Sysinternals.com?

My trial of that and reading more about a more specific kind of tool
that records a snapshot for comparison to later shots seems like it
might be more what I'm after.

I've tried InControl5, system mechanic, and at least one more I've
forgotten the name of. All shared a common problem. They produce a
really massive list of files. None seem to offer further
functionality that would take that list and compare it to one compiled
following an install. Then run thru that list and remove every change
an install had made on the system.

That is, following a regular uninstall, one could run this tool that
had captured a snapshot before INstall and make sure the uninstall has
actually removed every last thing or reversed every last change that
install did.

What seems to be the missing ingrediant in what I've seen is the part
where deletion is automated from the list comparison. So that
somewhere down the road, you decide you don't like whatever it was
installed and you want it entirely removed. But not to remove other
files that may also have been added since install. You can run this
tool that using the record from just before install and removes it for
you.

 

[David Candy]

Auditing. Not a great UI but it will log whatever in the Event Logs.

 

[Harry Putnam]

Auditing. Not a great UI but it will log whatever in the Event Logs.

Is this a specific tool or are you speaking of a general method?

 

[David Candy]

Type it in Help. It's not a tool but part of the OS. However it's not an inctrl5 (which in a later post you talk about and it does exactly what you asked for).

But I don't know why you want to waste your time.

 

[Harry Putnam]

Type it in Help. It's not a tool but part of the OS. However it's not an inctrl5 (which in a later post you talk about and it does exactly what you asked for).

But I don't know why you want to waste your time.

This is the worst interface I've ever seen. It takes about 1/2 hour
to click,clack,apply,ok your way thru this ridiculous maze.

I think I'd rather set my hair on fire than use this... but thanks for
yoru time.

 

[David Candy]

It meant to find out who stole the spreadsheet and gave it to the competion. One normally writes programs or database queries to work with it.