监视文件操作的问题。

想要实现这个功能：能够得到所有删除，新建，改写文件或目录的消息。即监视所有对文件的操作。葵花宝典中的那个例子我试过了，它好像只能纪录手动的操作。而不能纪录由程序对文件进行的操作。例如：安装一个软件，由安装程序新建的那些文件，这个例子就不能纪录到。
要实现这个功能一定要用Vxd吗。这个我不会。

解决方案 »

免费领取超大流量手机卡，每月29元包185G流量+100分钟通话, 中国电信官方发货

Essence_zhx: 可以给我看看你的程序吗？
我的mail: [email protected]
一個利用Windows未揭示的API做的Shell操作監視,利用该功能可以对Windows下的任何文件
操作，包括建立文件、文件夹；删除文件；改变文件大小等操作都可以纪录在案。
Delphi : http://www.powerba.com/develop/delphi/article/20010925001.htm
Vb     : http://www.applevb.com/art/undoc3.htm
试试Rx组件包里的RxTools页面上
TRxFolderMonitor
组件，我看过有人用这东东还不错。
AWolfBoy(龍行江湖) 兄提供的URL的文章，只是监视shell,
但我还要改一下代码才可以在delphi6下跑原文来自http://www.powerba.com/develop/delphi/article/20010925001.htm
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++unit Unit1;interfaceuses
Windows, Messages, SysUtils, Classes, Graphics, Controls, Forms, Dialogs,
StdCtrls,shlobj,Activex; const
        SHCNE_RENAMEITEM = $1;
        SHCNE_CREATE = $2;
        SHCNE_DELETE = $4;
        SHCNE_MKDIR = $8;
        SHCNE_RMDIR = $10;
        SHCNE_MEDIAINSERTED = $20;
        SHCNE_MEDIAREMOVED = $40;
        SHCNE_DRIVEREMOVED = $80;
        SHCNE_DRIVEADD = $100;
        SHCNE_NETSHARE = $200;
        SHCNE_NETUNSHARE = $400;
        SHCNE_ATTRIBUTES = $800;
        SHCNE_UPDATEDIR = $1000;
        SHCNE_UPDATEITEM = $2000;
        SHCNE_SERVERDISCONNECT = $4000;
        SHCNE_UPDATEIMAGE = $8000;
        SHCNE_DRIVEADDGUI = $10000;
        SHCNE_RENAMEFOLDER = $20000;
        SHCNE_FREESPACE = $40000;
        SHCNE_ASSOCCHANGED = $8000000;
        SHCNE_DISKEVENTS = $2381F;
        SHCNE_GLOBALEVENTS = $C0581E0;
        SHCNE_ALLEVENTS = $7FFFFFFF;
        SHCNE_INTERRUPT = $80000000;        SHCNF_IDLIST = 0; // LPITEMIDLIST
        SHCNF_PATHA = $1; // path name
        SHCNF_PRINTERA = $2; // printer friendly name
        SHCNF_DWORD = $3; // DWORD
        SHCNF_PATHW = $5; // path name
        SHCNF_PRINTERW = $6; // printer friendly name
        SHCNF_TYPE = $FF;        SHCNF_FLUSH = $1000;        SHCNF_FLUSHNOWAIT = $2000;
        SHCNF_PATH = SHCNF_PATHW;
        SHCNF_PRINTER = SHCNF_PRINTERW;        WM_SHNOTIFY = $401;
        NOERROR = 0;type
      TForm1 = class(TForm)
        Button1: TButton;
        Memo1: TMemo;
        procedure FormClose(Sender: TObject; var Action: TCloseAction);
        procedure Button1Click(Sender: TObject);
        procedure FormCreate(Sender: TObject);
        private
        { Private declarations }
        procedure WMShellReg(var Message:TMessage);message WM_SHNOTIFY;
        public
        { Public declarations }
        end;        type PSHNOTIFYSTRUCT=^SHNOTIFYSTRUCT;
        SHNOTIFYSTRUCT = record
        dwItem1 : PItemIDList;
        dwItem2 : PItemIDList;
        end;        Type PSHFileInfoByte=^SHFileInfoByte;
        _SHFileInfoByte = record
        hIcon :Integer;
        iIcon :Integer;
        dwAttributes : Integer;
        szDisplayName : array [0..259] of char;
        szTypeName : array [0..79] of char;
        end;
        SHFileInfoByte=_SHFileInfoByte;        Type PIDLSTRUCT = ^IDLSTRUCT;
        _IDLSTRUCT = record
        pidl : PItemIDList;
        bWatchSubFolders : Integer;
        end;
        IDLSTRUCT =_IDLSTRUCT;
        function SHNotify_Register(hWnd : Integer) : Bool;
        function SHNotify_UnRegister:Bool;
        function SHEventName(strPath1,strPath2:string;lParam:Integer):string;        Function SHChangeNotifyDeregister(hNotify:integer):integer;stdcall;
          external 'Shell32.dll' index 4;
        Function SHChangeNotifyRegister(hWnd,
                                        uFlags,
                                        dwEventID,
                                        uMSG,
                                        cItems:LongWord;
                                        lpps:PIDLSTRUCT):integer;stdcall;
           external 'Shell32.dll' index 2;
        Function SHGetFileInfoPidl(pidl : PItemIDList;
                                   dwFileAttributes : Integer;
                                   psfib : PSHFILEINFOBYTE;
                                   cbFileInfo : Integer;
                                   uFlags : Integer):Integer;stdcall;
            external 'Shell32.dll' name 'SHGetFileInfoA';var
   Form1: TForm1;
   m_hSHNotify:Integer;
   m_pidlDesktop : PItemIDList;implementation{$R *.DFM}function SHEventName(strPath1,strPath2:string;lParam:Integer):string;
var
   sEvent:String;
begin
   case lParam of //根据参数设置提示消息
     SHCNE_RENAMEITEM: sEvent := '重命名文件'+strPath1+'为'+strpath2;
     SHCNE_CREATE: sEvent := '建立文件文件名：'+strPath1;
     SHCNE_DELETE: sEvent := '删除文件文件名：'+strPath1;
     SHCNE_MKDIR: sEvent := '新建目录目录名：'+strPath1;
     SHCNE_RMDIR: sEvent := '删除目录目录名：'+strPath1;     SHCNE_MEDIAINSERTED: sEvent := strPath1+'中插入可移动存储介质';
     SHCNE_MEDIAREMOVED: sEvent := strPath1+'中移去可移动存储介质'+strPath1+' '+strpath2;
     SHCNE_DRIVEREMOVED: sEvent := '移去驱动器'+strPath1;
     SHCNE_DRIVEADD: sEvent := '添加驱动器'+strPath1;     SHCNE_NETSHARE: sEvent := '改变目录'+strPath1+'的共享属性';
     SHCNE_ATTRIBUTES: sEvent := '改变文件目录属性文件名'+strPath1;
     SHCNE_UPDATEDIR: sEvent := '更新目录'+strPath1;
     SHCNE_UPDATEITEM: sEvent := '更新文件文件名：'+strPath1;
     SHCNE_SERVERDISCONNECT: sEvent := '断开与服务器的连接'+strPath1+' '+strpath2;
     SHCNE_UPDATEIMAGE: sEvent := 'SHCNE_UPDATEIMAGE';     SHCNE_DRIVEADDGUI: sEvent := 'SHCNE_DRIVEADDGUI';
     SHCNE_RENAMEFOLDER: sEvent := '重命名文件夹'+strPath1+'为'+strpath2;
     SHCNE_FREESPACE: sEvent := '磁盘空间大小改变';
     SHCNE_ASSOCCHANGED: sEvent := '改变文件关联';
   else
     sEvent:='未知操作'+IntToStr(lParam);
   end;   Result:=sEvent;
end;function SHNotify_Register(hWnd : Integer) : Bool;
var
   x : IDLSTRUCT;//我改了一下
  ps:PIDLSTRUCT;
begin
{$R-}
    Result:=False;
    ps := @x; //我改了一下
    If m_hSHNotify = 0 then
      begin//获取桌面文件夹的Pidl
          if SHGetSpecialFolderLocation(0, CSIDL_DESKTOP,
                                        m_pidlDesktop)<> NOERROR then
              Form1.close;
          if Boolean(m_pidlDesktop) then
             begin
                 ps.bWatchSubFolders := 1;
                 ps.pidl := m_pidlDesktop;
                 // 利用SHChangeNotifyRegister函数注册系统消息处理
                 m_hSHNotify := SHChangeNotifyRegister(hWnd,
                                                       (SHCNF_TYPE Or SHCNF_IDLIST),
                                                       (SHCNE_ALLEVENTS Or SHCNE_INTERRUPT),
                                                        WM_SHNOTIFY, 1, ps);
                 Result := Boolean(m_hSHNotify);
             end
          Else
          // 如果出现错误就使用 CoTaskMemFree函数来释放句柄
             CoTaskMemFree(m_pidlDesktop);
      End;
{$R+}
end;function SHNotify_UnRegister:Bool;
begin
   Result:=False;
   If Boolean(m_hSHNotify) Then //取消系统消息监视，同时释放桌面的Pidl
   If Boolean(SHChangeNotifyDeregister(m_hSHNotify)) Then begin
   {$R-}
   m_hSHNotify := 0;
   CoTaskMemFree(m_pidlDesktop);
   Result := True;
   {$R-}
   End;
end;procedure TForm1.WMShellReg(var Message:TMessage); //系统消息处理函数
var
   strPath1,strPath2:String;
   charPath:array[0..259]of char;
   pidlItem:PSHNOTIFYSTRUCT;
begin
   pidlItem:=PSHNOTIFYSTRUCT(Message.wParam);         //获得系统消息相关得路径
   SHGetPathFromIDList(pidlItem.dwItem1,charPath);
   strPath1:=charPath;
   SHGetPathFromIDList(pidlItem.dwItem2,charPath);
   strPath2:=charPath;
   Memo1.Lines.Add(SHEvEntName(strPath1,strPath2,Message.lParam)+chr(13)+chr(10));
end;procedure TForm1.FormClose(Sender: TObject; var Action: TCloseAction);
begin
//在程序退出的同时删除监视
   if Boolean(m_pidlDesktop) then
   SHNotify_Unregister;
end;procedure TForm1.Button1Click(Sender: TObject); //Button1的Click消息
begin
   m_hSHNotify:=0;
   if SHNotify_Register(Form1.Handle) then
      begin //注册Shell监视
         ShowMessage('Shell监视程序成功注册');
         Button1.Enabled := False;
      end
    else
      ShowMessage('Shell监视程序注册失败');
end;procedure TForm1.FormCreate(Sender: TObject);
begin
    Button1.Caption := '打开监视';
To  mashimaro3600(爱吃白菜||杀尽贪官)兄:
   你的代碼好像沒有改吧.
sysinternals的filemon是用Compuware SoftICE Driver Suite的VtoolsD写了一个VxD,搂主可以去www.pediy.com和www.driverdevelop.com关注一下DS2.7方面的东东
这是sysinternals的filemon的readme.txt
/***************  file begin ****************************************/
Filemon for Windows NT/2000/9x
Copyright (C) 1996-2000 Mark Russinovich and Bryce Cogswell
Sysinternals
www.sysinternals.comUsing Filemon
-------------Start Filemon.exe from its home directory. Complete usage
instructions are available in the on-line help file.See Sysinternals for more monitoring tools, including
a Registry monitor.Building Filemon
----------------Fielmon consists of a device driver and a GUI. The NT driver was built with
the Windows NT DDK Build environment and the GUI was compiled with
Microsoft Visual C++ 6.0. The VxD was built with Vireo Software's (now
Numega Labs) VtoolsD 2.0.The help was entered with Microsoft Word 97 and Help Workshop
for Word 97.To install, copy Filmon.exe, Filemon.vxd and Filemon.sys to the same
directory.Terms of Use
------------This software is provided "as is", without any guarantee made
as to its suitability or fitness for any particular use. It may
contain bugs, so use of this tool is at your own risk. We take
no responsilbity for any damage that may unintentionally be caused
through its use.You may not use Filemon source code in a product, either free or
commercial, without the express written permission of Mark
Russinovich or Bryce CogswellYou may not distribute Filemon in any form without express written
permission of Mark Russinovich or Bryce Cogswell. Licensing
---------If you are interested in redistributing Filemon, either in original
or modified form, or wish to use Filemon source code in a product,
please send e-mail to [email protected] with details.Reporting Problems
------------------If you encounter problems, please visit http://www.sysinternals.com
and download the latest version to see if the issue has been resolved.
If not, please send a bug report to: @sysinternals.com and [email protected]
/*************  end of file *************************/
多谢： mashimaro3600(爱吃白菜||杀尽贪官）
不过上面我说的例子就是它。