这个有点麻烦啊,转个文章你看看吧:For the Windows 9x driver, the heart of FileMon is in the virtual device driver, Filevxd.vxd. It is dynamically loaded, and in its initialization it installs a file system filter via the VxD service, IFSMGR_InstallFileSystemApiHook, to insert itself onto the call chain of all file system requests. On Windows NT the heart of FileMon is a file system driver that creates and attaches filter device objects to target file system device objects so that FileMon will see all IRPs and FastIO requests directed at drives. When FileMon sees an open, create or close call, it updates an internal hash table that serves as the mapping between internal file handles and file path names. Whenever it sees calls that are handle based, it looks up the handle in the hash table to obtain the full name for display. If a handle-based access references a file opened before FileMon started, FileMon will fail to find the mapping in its hash table and will simply present the handle's value instead.
Information on accesses is dumped into an ASCII buffer that is periodically copied up to the GUI for it to print in its listbox. http://www.sysinternals.com/Utilities/Filemon.html
Information on accesses is dumped into an ASCII buffer that is periodically copied up to the GUI for it to print in its listbox. http://www.sysinternals.com/Utilities/Filemon.html
解决方案 »
免费领取超大流量手机卡,每月29元包185G流量+100分钟通话, 中国电信官方发货