C
C#2w ago
Ole (ping please)

TraceEventSession and listen for file access

I am experimenting with TraceEventSession for a monitor like application. The goal is to detect which files a given application accesses. According to my research, the following should work, but I get no events when notepad opens a file. Any insights to what I am doing wrong? 
 Process process = new();
 process.StartInfo.FileName = "notepad.exe"; 
 process.Start(); 

 var targetPid = process.Id;
 Console.WriteLine($"Started process with PID: {targetPid}");

 using (var session = new TraceEventSession("monitor_test"))
 {
     session.EnableKernelProvider(KernelTraceEventParser.Keywords.FileIOInit);
          
     session.Source.Kernel.FileIORead += (data) =>
     {
         if (data.ProcessID == targetPid)
         {
             Console.WriteLine($"[File Open] Process {data.ProcessID} opened: {data.FileName}");
         }
     };


     session.Source.Kernel.FileIOCreate += (data) =>
     {
         if (data.ProcessID == targetPid)
         {
             Console.WriteLine($"[File Create] Process {data.ProcessID} opened: {data.FileName}");
         }
     };

     session.Source.Kernel.FileIOWrite += (data) =>
     {
         if (data.ProcessID == targetPid)
         {
             Console.WriteLine($"[File Write] Process {data.ProcessID} wrote to: {data.FileName}");
         }
     };

     session.Source.Process();
 Process process = new();
 process.StartInfo.FileName = "notepad.exe"; 
 process.Start(); 

 var targetPid = process.Id;
 Console.WriteLine($"Started process with PID: {targetPid}");

 using (var session = new TraceEventSession("monitor_test"))
 {
     session.EnableKernelProvider(KernelTraceEventParser.Keywords.FileIOInit);
          
     session.Source.Kernel.FileIORead += (data) =>
     {
         if (data.ProcessID == targetPid)
         {
             Console.WriteLine($"[File Open] Process {data.ProcessID} opened: {data.FileName}");
         }
     };


     session.Source.Kernel.FileIOCreate += (data) =>
     {
         if (data.ProcessID == targetPid)
         {
             Console.WriteLine($"[File Create] Process {data.ProcessID} opened: {data.FileName}");
         }
     };

     session.Source.Kernel.FileIOWrite += (data) =>
     {
         if (data.ProcessID == targetPid)
         {
             Console.WriteLine($"[File Write] Process {data.ProcessID} wrote to: {data.FileName}");
         }
     };

     session.Source.Process();
0 Replies
No replies yetBe the first to reply to this messageJoin

Did you find this page helpful?