The EaseFilter File Monitor Filter Driver SDK provides you a simple way to develop the Windows application, to track the file change events easily. The file change events include the new file being created, the file being modified or written, file being renamed or moved, file being deleted, file information being changed, file security being changed.
EaseFilter File Monitor Filter Driver, is a kernel-mode component that runs as part of the Windows executive above the file system. The EaseFilter file system filter driver can intercept requests targeted at a file system or another file system filter driver. By intercepting the request before it reaches its intended target, the EaseFilter file system filter driver can log, observe the I/O operations for one or more file systems or file system volumes.
Develop application to track file change
To track the file change events, you need to create a file monitor filter rule to watch the folder which you want to manage. Then you need to register the file change events which you are interested in it, and register the file change notification handler. For example, if you want to track the file was written, then you need to register the event “NotifyFileWasWritten" in "FileChangeEventFilter".
//create a file monitor filter rule, every filter rule must have the unique watch path.
FileFilter fileMonitorFilter = new FileFilter("c:\\watchFolder\\*");
//Filter the file change event to monitor all file change events.
fileMonitorFilter.FileChangeEventFilter = (FilterAPI.FileChangedEvents)FilterAPI.NotifyAllFileEvents;
//register the file change callback events.
fileMonitorFilter.NotifyFileWasChanged += NotifyFileChanged;
/// <summary>
/// Fires this event when the file was changed.
/// </summary>
static void NotifyFileChanged(object sender, FileChangedEventArgs e)
{
Console.WriteLine("NotifyFileChanged:" + e.FileName + ",eventType:" + e.eventType.ToString() + ",userName:" + e.UserName + ",processName:" + e.ProcessName);
} With the EaseFilter File Monitor SDK to track file change, you can get the notification when the managed files were changed with below events:
- File Creation Event: You can get the notification when a new file was created.
- File Delete Event: you can get the notification when a file was deleted.
- File Rename Event: You can get the notification when a file was renamed.
- File Write Event: You can get the notification when a file was written with data.
- File Security Changed Event: You can get the notification when a file’s security was changed.
- File Information Changed Event: You can get the notification when a file’s size, a file’s attributes, a file’s last write time, a file’s creation time, a file’s last access time were changed.
Here is the enumeration of the events you can register
/// <summary>
/// The file changed events for monitor filter, it will be fired after the file handle was closed.
/// </summary>
public enum FileChangedEvents:uint
{
/// <summary>
/// Fires this event when the new file was created after the file handle closed
/// </summary>
NotifyFileWasCreated = 0x00000020,
/// <summary>
/// Fires this event when the file was written after the file handle closed
/// </summary>
NotifyFileWasWritten = 0x00000040,
/// <summary>
/// Fires this event when the file was moved or renamed after the file handle closed
/// </summary>
NotifyFileWasRenamed = 0x00000080,
/// <summary>
/// Fires this event when the file was deleted after the file handle closed
/// </summary>
NotifyFileWasDeleted = 0x00000100,
/// <summary>
/// Fires this event when the file's security was changed after the file handle closed
/// </summary>
NotifyFileSecurityWasChanged = 0x00000200,
/// <summary>
/// Fires this event when the file's information was changed after the file handle closed
/// </summary>
NotifyFileInfoWasChanged = 0x00000400,
/// <summary>
/// Fires this event when the file's data was read after the file handle closed
/// </summary>
NotifyFileWasRead = 0x00000800,
}Here is the File Monitor example for the File Change Events selection.
In the NotifyFileChanged event, you can get the file changed information as below:
- The user name who made the file changed.
- The process name who made the file changed.
- The file changed types: the file was created, written, renamed, deleted, file information was changed or the file was read.
- The new file name if the was renamed.
Track File Change in Real Time
With the EaseFilter File Monitor SDK, you can monitor file I/O activities on file system level in Real-Time. You can capture file open, file creation, file overwritten, file read, file written, query file information, set file information, query security information, set security information, file rename, file delete, directory browsing and file close I/O requests.
You can create the file access log, you will know who, when, what files were accessed. You can get comprehensive control and visibility over users and data by tracking and monitoring all the user & file activities, permission changes, storage capacity and generate real-time audit reports.
Here is the FileMonitor demo output console for the File Change Events:
