How to monitor file system monitoring? or "Quis custodiet ipsos custodes?" RRS feed

  • Question

  • Is there any way to tell which processes are using System.IO.FileSystemWatcher (or preferably its underlying Windows API) and which trees they're watching? A lot of tools that come over from Linux as accustomed to tool graphs of cheap processes that pass data via small files, sometimes creating and deleting hundreds in a second.

    File watchers encountering this practice can bring the system to a crawl. Since they seldom document that they're watching particular trees, it makes it hard to know to look for some kind of exclusion list, which they may or may not have. If we knew what was happening when we ran into these situations, we could act on hard knowledge rather than wasting time speculating about what kind of processes might be involved.

    Is there any kind of mechanism (API, system hook, etc.) that can be used to identify which processes are watching the file system and what subtrees they're focusing on? If I can couple this mechanism with a watcher of my own to identify the file access pattern of the watcher's evil twin, the walker, then these problems would be a lot easier to diagnose. Of course, a sysinternals tool that did this would be even better ;) . I couldn't figure out how to get procmon to give me what I wanted.) 

    • Moved by Hart Wang Friday, April 13, 2018 1:50 AM
    Friday, April 6, 2018 11:59 PM

All replies

  • Try to ask in the Performance tools forum, if a system-defined log or trace option exists for this API. 

    Otherwise... registering a watch is a low level filesystem API, it can be "hooked" by a certain kind of kernel driver (as well as accessing files). Unfortunately, this kind of drivers is quite hard to make.

    -- pa

    Sunday, April 8, 2018 10:23 PM
  • Hi,

    I agree with Pavel A.

    You can post the issue on performance forum. I will move the case to off-topic forum.

    Best Regards,


    MSDN Community Support Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Tuesday, April 10, 2018 6:59 AM
  • You should have to hook the Native API, NtNotifyChangeDirectoryFile
    Tuesday, April 10, 2018 7:24 AM