FileSpy

Filemon for FSD and filter developers

The latest version

What's new in the latest version, 4.0.0 ?

• FileSpy can now use USN Journal as logging method. USN journal is a file, maintained directly by NTFS.sys, and contains all changes made on the volume since creation of the USN Journal.
• 64-bit drivers are now properly signed by Open System Resources, which allows seamless run under 64-bit Vista.
• Added config dialog to enable or disable using test-signed drivers.
• Lots of improvements and bug fixes. For more information, refer to History.txt.

Description

The FileSpy is a GUI application for the FSpy.sys or MSpy.sys, a monitoring filter driver shipped with the WDK. Its functionality is similar to the famous Filemon tool from Mark Russinovich (http://www.sysinternals.com). FileSpy is an aplication written as support to the developers, who need to monitor file system activity. Comparing to Filemon, it contains some more functions:

• Extended logging of IRP and Fast I/O requests
• Advanced filtering by path, process, IRP code, Fast I/O code or operation result
• Ability to monitor "exotic" file systems and network redirectors using is ability to attach by device name
• Ability to watch requests from newly created processes
• Ability to monitor newly mounted volumes (e.g. USB drives)
• Ability to monitor FSD control devices. It is possible to see the IRP_MN_MOUNT_VOLUME request
• Ability to sort requests by issuing time or completion time
• Watching documented (and even some undocumented) IOCTL requests, with online decoding (device type, method etc.)
• FileSpy can be executed even by normal authenticated user, if the kernel mode service is already running
• User can choose driver (legacy FS filter FSpy.sys, minifilter MSpy.sys or minifilter FileTrace.sys)
• Filespy can be executed before user logon.
• Filespy can log changes to the NTFS volume using USN Journal.

How it works

When the FileSpy GUI application is executed, it installs the selected file system filter driver. This driver logs file system requests going to one of the attached volumes. These requests are logged and kept in memory. The FileSpy.exe GUI periodically pops this list and shows it as logged output.

Download

• FileSpy application v 4.1.0.522 for Windows 2000+ (32-bit and 64-bit english version)

Copyright (c) Ladislav Zezula 2008