FILEMON Log Record and its System Function Call

The Filemon utility is developed by Mark Russinovich and Bryce Cogswell, that runs in the windows platform.

As stated in their official help file, Filemon is an application that monitors and displays all file system activity on windows operating system.

It has advanced filtering and search capabilities that make it a powerful tool for exploring the way Windows works, seeing how applications use the files and DLLs, or tracking down problems in system or application configurations.

As stated in the title, the purpose if this article is to provide the association between the Filemon log record and the relevant windows system function call that resulted in the generated log file when capturing the event.

Using WinDBG, let’s attach to any program of interest, break on to one of the system call, the CreateFile window function, and fire up the Filemon utility to see what happen.

When the examined application do have the CreateFile called, the filemon log will show the OPEN request when the CreateFile is meant to just open the existing file, or a records of OPEN,OPEN,CREATE when CreateFile is used to create previously non-existent file.

After performing some data gathering using that fashion, I can compile some list as follows :

GetFileSize function will result in QUERY INFORMATION request column, and the returned size in “Other” column.

SetEndOfFile function will result in SET INFORMATION request column, and the returned new file length in “Other” column.

LockFile function will result in LOCK request column.

UnLockFile function will result in UNLOCK request column.

FlushFileBuffers function will result in FLUSH request column.

CloseHandle function of the file handle will result in CLOSE request column.

Well, I think this list already covers all the request keyword provided by FILEMON utility.

If you do find the request keyword that is not covered in this article and curious of what system call is that, don’t hesitate to discuss with me 🙂

Advertisements

One Response to “FILEMON Log Record and its System Function Call”

  1. system works Says:

    There’s definately a great deal to find out about this issue.
    I like all of the points you have made.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: