
Windows NT File System Monitor (NTFilemon)

Copyright (C) 1996 Mark Russinovich and Bryce Cogswell

Mark can be reached at markr@numega.com and Bryce can be
reached at cogswell@cs.uoregon.edu.

You have the right to take and use this code for whatever purpose, 
commercial or otherwise.

----------------------------------------------------------------------
RUNNING FILEMON

Filemon was compiled for the x86 platform. See below for building 
versions for other hardware.

To run Filemon, "CD" to the GUI\WINREL directory and type "filemon."
Your account must allow you the privilege of installing device
drivers in order to run Filemon.

Note about network drives: Multiple local drives can be mounted on the
same network drive. This means that when Filemon hooks one local
drive, it will see requests for all other local drives mounted on the
same network drive. Using the "Drives" menu to select or deselect
one of these local drives will automatically select or deselect the
other drives of the group.

Note about formatting: Filemon can be used to watch NT format floppy
drives. However, when a floppy format is complete, NT deletes the 
device object that represents the drive and creates a new one. This
means that subsequent accesses to the floppy will not be  seen by
Filemon unless the floppy drive is first deselected and then selected
again in order to hook the newly created floppy device object.

----------------------------------------------------------------------
BUILDING FILEMON

Overview: The executables included are for the x86, although the
source code for the GUI and device driver are platform portable. However, be
sure to remove the code that extracts the process name in the device driver
if building for non-x86 platforms as this is tied to the x86 implementation
of NT. To do this, find the following statement, located at the top of 
dd\filemon.c and gui\filemon.c:

#define GETPROCESS 1

and change the 1 to 0.

Directories:

SYS: The device driver for Filemon. It can be built using the NT DDK's
build utility. The compiler used to produce the executable was VC 4.2. Note
that the device driver is non-unicode compliant. Making it unicode compliant
requires implementing a wide-character version of vsprintf(), and converting
all chars to wides. 

GUI: The Filemon GUI. This is a UNICODE Win32 program. The executables
and project are from VC 4.2. 
