event viewer question
in [Win32 Kernel]
|
From: Kid on 5 Feb 2010 22:10 hi I am not sure if I can post ETW (Event Tracer for Windows) question here , I know ETW can add from driver or app , we can use Windows event viewer too . I have a question that how can I monitor actions about file create / copy / move by event viewer or my program , I would like to know the details such as file copy source and destination . If I post in the wrong newsgroup , do you know which MS newsgroups I can post this question . Thank you !
From: Bill Sanderson on 7 Feb 2010 21:48 Take a good look at the sysinternals apps--I think they can monitor this kind of detail. "Kid" <Kid(a)discussions.microsoft.com> wrote in message news:0140882E-931D-40E3-A148-150558620BB9(a)microsoft.com... > hi > > I am not sure if I can post ETW (Event Tracer for Windows) question here , > I > know ETW can add from driver or app , we can use Windows event viewer too > . > > I have a question that how can I monitor actions about file create / copy > / > move by event viewer or my program , I would like to know the details such > as > file copy source and destination . > > If I post in the wrong newsgroup , do you know which MS newsgroups I can > post this question . Thank you !
From: Don Burn on 8 Feb 2010 07:43 You cannot monitor copy and move since they do not exist at the kernel level. You can see CREATE, READ, WRITE, CLEANUP, AND CLOSE since this is roughly the sequence of a copy. Take a look at the sysinternals tools, or get the WDK and try the minispy sample driver and executable. -- Don Burn (MVP, Windows DKD) Windows Filesystem and Driver Consulting Website: http://www.windrvr.com Blog: http://msmvps.com/blogs/WinDrvr Remove StopSpam to reply "Kid" <Kid(a)discussions.microsoft.com> wrote in message news:0140882E-931D-40E3-A148-150558620BB9(a)microsoft.com... > hi > > I am not sure if I can post ETW (Event Tracer for Windows) question here , > I > know ETW can add from driver or app , we can use Windows event viewer too > . > > I have a question that how can I monitor actions about file create / copy > / > move by event viewer or my program , I would like to know the details such > as > file copy source and destination . > > If I post in the wrong newsgroup , do you know which MS newsgroups I can > post this question . Thank you ! > > __________ Information from ESET NOD32 Antivirus, version of virus > signature database 4841 (20100206) __________ > > The message was checked by ESET NOD32 Antivirus. > > http://www.eset.com > > > __________ Information from ESET NOD32 Antivirus, version of virus signature database 4847 (20100208) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com
|
Pages: 1 Prev: Non blocking socket block at recv() function Next: Driver development - newbie questions |