This is very basic essay covering How to:
1.Identify the name of the program you are loading
2.Stop the background programs from continuiously loading into the window, that interfer with you viewing the particular program you wish to investigate.
3.Setting up a 'filter' to block out all
other programs from loading into the FileMon window & to load only
the one you wish to view.
Notes snipped from FileMons' URL:
http://www.sysinternals.com/filemon.htm
NOTE: newest version, 4.0, now avaiable at above URL
Introduction
Filemon is a GUI/device driver combination that monitors and displays all file system activity on a system. It has advanced filtering and search capabilities that make it a powerful tool for exploring the way Windows works, seeing how applications use the files and DLLs, or tracking down problems in system or application configurations. . Version 4.0 unifies previous NT and Win9x-specific versions of Filemon into a common interface. Enhancements to the device drivers, and the addition of UI features (always-on-top, listview tool-tips) also mark this major version update. Filemon works on NT 3.51, 4.0, 5.0 (Win2K), Windows 95 and Windows 98.
additon added here by Eternal Bliss:
Installation and Use
Simply run the Filemon GUI (filemon.exe) from the same directory that the drivers (filemon.sys and filemon.vxd) reside in. Windows NT: Note that it must be located on a non-network drive and that you must have administrative privilege to run Filemon. When Filemon is started for the first time it wil monitor all local hard drives. Menus, hot-keys, or toolbar buttons can be used to clear the window, select and deselect monitored drives (Windows NT), save the monitored data to a file, and to filter and search output.
As events are printed to the output, they are tagged with a sequence number. If Filemons internal buffers are overflowed during extremely heavy activity, this will be reflected with gaps in the sequence number. Filemon allows you to set filters on processes that are logged, as well as paths. Both process and path filters take expressions similar to what the command prompt takes: you can specify names with '*' representing wild cards. The "Path Include" filter represents path names that will be monitored and the "Path Exclude" filter represents path names that will not be monitored. Where there is overlap, Path Exclude overrides. Note that the filters are intrepreted in a case-*in*sensitive manner and that you can specify multiple filter strings by separating them with the ';' character. By default, the filters are set up to watch all file system activity.
For example, if you do not want to see
paging file activity you could specify "*pagefile*" as the "Path Exclude"
filter. If you only want to see activity to the c:\temp and c:\winnt directories,
set
"c:\temp*;c:\winnt*" as the Path Include
filter. If you set both of these filters and a paging file is in
C:\temp, activity to the paging file would
not be logged whereas activity to the other files and
directories in c:\temp would be.
Filemon can either timestamp events or show their duration. The Events menu and the clock toolbar button let you toggle between the two modes. The button on the toolbar shows the current mode with a clock or a stopwatch. When showing duration the Time field in the output shows the number of seconds it took for the underlying file system to service particular requests.
Each time you exit Filemon it remembers the filters you've configured, position of the window and the widths of the output columns.
How Filemon Works
For the Windows 95 driver, the heart of
Filemon is in the virtual device driver, Filevxd.vxd. It is
dynamically loaded, and in its initialization
it installs a file system filter via the VxD service,
IFSMGR_InstallFileSystemApiHook, to insert
itself onto the call chain of all file system requests.
On Windows NT the heart of Filemon is
a file system driver driver that creates and attaches filter device objects
to target file system device objects so that Filemon will see all IRPs
and FastIO
requests directed at drives.
When Filemon sees an open, create or close call, it updates an internal hash table that serves as the mapping between internal file handles and file path names. Whenever it sees calls that are handle based, it looks up the handle in the hash table to obtain the full name for display. If a handle-based access references a file opened before Filemon started, Filemon will fail to find the mapping in it hash table and will simply present the handle's value instead.
Information on accesses is dumped into
an ASCII buffer that is periodically copied up to the GUI for it to print
in its listbox.
Upon opening Filemon we will see that it immediately begins logging all running activity of your system...
It is nearly impossible to now load a program you would wish to view and be able to read the lines pertaining to that particular program because the FileMon program is going to continue loading every program you have running...It does no good to try to scroll up to line 100 where your program of interest was first detected and logged because as soon as you try to scroll up the program window is loading some other program at line 1500 that is running in your background and you lose the scroll immediately...
It is here that you can do one of two things that I am aware of; there may be more things to correct this; and feel free to add them to this essay.
In this example; hoping that everyone has the MS program calculator I will use it as my example target...
Open FileMon...Whoa...loads of activity going on..
Now open your MS Calculator...keep your eye pealed for what this is going to be NAMED in the "Process" column...
Before its' line numbers disappear in the
vorg of running activities we see that it was named "Calc" in the Process
column...
Click on the menu
option: "Search"
Now click on
"Find"
type in the word:Calc
Click on:
Find Next...
Now what happens here is that the Find function finds the first instances of the word Calc and FREEZES the window at that section of the window...Now we can view and read the window with out it changing every second on us...You will, however, notice that the window DOES continue to log in other running programs...just watch your scroll bar and you will see this...but the window is now locked in at the location we want to be at...
The second option that I am aware of to stop the interference of programs running in the background, is the Filter option:
This can be used as so:
Having run a program and noted its named
value in the "Process" column; in this case the MS calculator as our target
program, & having found that it has the name value of "Calc"
We would now:
Click on the menu
Option named "Events"
then, in the
drop down box, click on the option... "filter"
Here you will
see three input boxes named:
Process: ..........
Path include:......
Path exclude:......
(here is an added input posted from Gracefully Savage on the exclude filter usage; I'm still not clear as to its use here; but I have always been thick-headed...and often need step by step drawings to clear things up for me: I believe in his example below he used a program called Disk Catalouge for his explanation for using the Exclude filter...)
Way Too Cool Everyone!
The Exclude filter works great. But don't do what I did and try to put the path into it. Hey! I didn't have my coffee yet. ;-)
1. Run FileMon: Under the Process header record all the processes you don't want. Yes, the single process name, ignore the path. Mine were (Sscatalg;Snsicon)<== yer first clue! ;-)
2. Goto EVENTS ==> FILTER ==> Process Exclude[s] type in your process names to exclude. USE A SEMIcolon (;) between them. Hit ==> APPLY. Thats it.
When using Softice however I still advise to kill all extraneous apps.
Later,
Gracefully Savage
In the Process box however we can type in the name of the program we noted in the "Process" column, in this case, "Calc" and this will create a filter...a filter will act to screen out all other running programs and load only our target...
But one other thing you will have to do is to remember for some reason (?) the filter must be typed in all "lower case" letters! Although our "Process" column had our program noted as being named: "Calc" we can not type it in as ....."Calc"... into the filter Process box... ..it MUST be written (typed) in as... 'calc".... in all lower case letters. (no quotes)
********************************************************************************************
So now as a clearer
example:
Click on the menu
Option named "Events"
then, in the
drop down box, click on the "filter" option...
Here you will
see three input boxes named:
Process: ..........
Path include:......
Path exclude:......
Now in the Process
input box type in:
calc
click on: 'apply
button'
Now click on the menu option "Events" again and in the drop-down menu you MUST have the option "Capture Events" checked and in the drop down box, click also on "Clear Display"...
...this will clear your window of all running programs and now when you open and run the MS calculator ONLY the calculator program will load and be viewed in the FileMon window....
Set Up Done...
If you see mistakes, inconsistancies; know an easier approach; ect. ect feel free to work on it and improve it.... Would anyone care to explain any other options, tricks, knowledge...?
Write it up and we'll change this one or add & credit your comments to it...ect
This essay was more on HOW TO SET UP FileMon ; The next essay on FileMon could be :
Why Do We Use FileMon & Where Do we
Look FOR these Answers...
I am particularly curious to what the various Columns tell us also: ie;
..columns...Request..Path..and the... Other
We might expand on what it is we look for
in the various columns; and Why... example:
File Not Found..ect
*****************************************************************************************
what does...Seek...
0x258...mean?
what does...Beginning
Offset: 415232...mean?
ect
Thanks
Regards
Jeff