Home News Products Buy Now Download Support Login

· Introduction

· Overview of Features

· Supported OS

· What's new ?

· Download Home Edition

· Buy Professional Edition
Online Documentation

File system monitor

The file system monitor displays real time file activity on your local hard drives as well as an remote drives from the perspective of the file system.


Starting the file monitor

To start the file monitor, make sure that File is enabled in the panel of activated monitors on the left of the screen. Then click the Start button.


Stopping the file monitor

To stop the file monitor, click the Stop button.


Information in the file monitor view

Date/Time
This column displays the moment of each action that was registered by the monitor. The time stamp is a value with a precision of 100 nanoseconds. If multiple actions took place within a single time interval of 100 nanoseconds, the time stamp value will be incremented to guarantee a unique time stamp.
Major Function
This columns displays the name of the major code of the I/O operation. For an explanation on possible values refer to the Microsoft WDK documentation.

Process
This displays the name of the executable process name which initiated the action.

Status
This column displays whether the operation completed successfully or not.

File Name
This displays the name of the file on which the action took place. Depending on your settings, also actions on remote drives will be listed. You can choose whether the file name is displayed in original kernel object syntax or comprehensible user mode syntax.

Type
This displays the type of operation which can be an IRP initiated operation, a fast I/O call or a minifilter initiated operation.

Minor Function
This displays the optional minor code of the I/O operation.

Operation Flags
This displays bitmasks specifying various aspects of the I/O operation.

IRP Flags
This displays various aspects of the I/O operation.

Handle
Displays the value of the file handle.

PID
This represents the process ID of the executable which initiated the action.

ThreadID
Displays the value of the thread ID which initiated the action.

CPU
On a multi-processor system, this will display the ID of the processor that executed the action. On a single processor system this value is always 0.

MultiMon Help Topics

Introduction

  · Product Page
  · Supported Operating Systems
  · What's new
  · FAQ and Tips

Using MultiMon

  · File system monitor
  · System monitor
  · Registry monitor
  · Keyboard monitor
  · User action monitor
  · Clipboard monitor
  · Combined view
  · Advanced Options

Copyright © 1997-2025 Resplendence Software Projects. All rights reserved. Privacy Policy.
Page generated on 5/3/2025 7:44:26 PM. Last updated on 9/17/2019 2:09:47 PM.