FileSystemWatcher是做不到的,WMI也不行这个是杀毒软件常用的技术,有些软件用到了类似的技术,比如FileMon: http://www.sysinternals.com/Utilities/Filemon.htmlHow FileMon Works For the Windows 9x driver, the heart of FileMon is in the virtual device driver, Filevxd.vxd. It is dynamically loaded, and in its initialization it installs a file system filter via the VxD service, IFSMGR_InstallFileSystemApiHook, to insert itself onto the call chain of all file system requests. On Windows NT the heart of FileMon is a file system driver that creates and attaches filter device objects to target file system device objects so that FileMon will see all IRPs and FastIO requests directed at drives. When FileMon sees an open, create or close call, it updates an internal hash table that serves as the mapping between internal file handles and file path names. Whenever it sees calls that are handle based, it looks up the handle in the hash table to obtain the full name for display. If a handle-based access references a file opened before FileMon started, FileMon will fail to find the mapping in its hash table and will simply present the handle's value instead. Information on accesses is dumped into an ASCII buffer that is periodically copied up to the GUI for it to print in its listbox.
至于详细的帮助文章,VS.NET自带的MSDN中就有,而且是中文帮助,你直接用WMI索引就可以看到。
至于监视文件的话呢....
NET本身有一个控件支持这样的功能,WMI有没有还得再找一下...
http://www.sysinternals.com/Utilities/Filemon.htmlHow FileMon Works
For the Windows 9x driver, the heart of FileMon is in the virtual device driver, Filevxd.vxd. It is dynamically loaded, and in its initialization it installs a file system filter via the VxD service, IFSMGR_InstallFileSystemApiHook, to insert itself onto the call chain of all file system requests. On Windows NT the heart of FileMon is a file system driver that creates and attaches filter device objects to target file system device objects so that FileMon will see all IRPs and FastIO requests directed at drives. When FileMon sees an open, create or close call, it updates an internal hash table that serves as the mapping between internal file handles and file path names. Whenever it sees calls that are handle based, it looks up the handle in the hash table to obtain the full name for display. If a handle-based access references a file opened before FileMon started, FileMon will fail to find the mapping in its hash table and will simply present the handle's value instead. Information on accesses is dumped into an ASCII buffer that is periodically copied up to the GUI for it to print in its listbox.
看看这个
用api
http://www.microsoft.com/technet/scriptcenter/scripts/storage/files/stfivb23.mspx
看看这里吧~~~
打开了啥也不做也要监视
我们做过测试,如chaircat提供的地址的例子是没问题的,因为这个自建目录中一般文件比较少,而且又是针对一个特定的文件。
但是对于较大的系统目录如c:\windows,甚至整个文件系统,这个监控毫无作用,表现为CPU占用率极高,而事件接收又毫无反应,估计是在扫描目录。
所以,对于文件系统的监视,还是建议用FileSystemWatcher,但对于文件的打开操作,FileSystemWatcher好像也无能为力,WMI更是没法做到。
呵呵~~~~我找到这个例子一直都没测试~~~~~
按你说的来看的话WMI的这个玩意就是一个循环扫描...
看来要花比较小的代价实现这个问题可能只有去HOOK一下了~~~