Home kb how to How To Monitor File System Activity With FileMon

How To Monitor File System Activity With FileMon

How to monitor file activity with SysInternal's “FileMon” utility. Important Note: This document is only intended to be an overview of how to use the FileMon utility and how it can be used in supporting K2.net systems. Please consult Microsoft documentation for information related to the FileMon utility.



Important:  FileMon is a freeware utility and as such, is implemented at the risk of the user.
 
 
Introduction
FileMon is a utility that monitors and reports on file system activity on a system real-time. Its advanced capabilities make it a powerful tool for:
  1. Exploring the way Windows works by seeing how applications use the files and DLLs
  2. Tracking down the cause of problems experienced by a system or application file configurations
Filemon's time stamping feature will indicate precisely when every open, read, write or delete, event took place. The status column provides reporting information on the outcome of the event. Installation and configuration is simple and once installed competence with the application does not take long to accomplish. The output window can be saved to a file for off-line viewing. Full search capability is available, including filtering to make the reporting displayed in the Output Window more meaningful.
 
Installation
  1. Obtain the utility by browsing to the following site: http://www.sysinternals/Utilities/Filemon.html
  2. The application consists of a single file and therefore does not include a managed installation procedure
  3. It is recommended that the file be extracted to the following location C:\Program Files\FileMon (you will need to create the folder "FileMOn")
  4. Create a shortcut to the application and place the shortcut on the desktop

  

 
Usage
To utilize the FileMon application, do the following:
Double click on the "FileMon.exe" file in the folder that you extracted or double click the shortcut to run the application
Once the application launches, the information capture starts automatically and can be halted by clicking the "Capture"
At this point configure the application to perform the tasks that you require.
 
Note: Please refer to the help file provided with the application to perform the monitoring tasks.
 
Stop the capture by clicking on the magnifying glass in the tool bar or "CTRL-E"
  
5) Save the trace file by clicking on the disk icon or "CTRL-S"
6) Open the trace file for analysis or send the saved file to the support engineer for analysis