I would like to be able to monitor certain system calls made by a process, primarily file I/O calls. On Linux I can probably get away using strace with suitable parameters, but how can I do this on Windows?
我希望能够监视进程发出的某些系统调用,主要是文件I / O调用。在Linux上,我可能会使用带有合适参数的strace,但是如何在Windows上执行此操作?
I'm primarily interested in running a process and figuring out which files it has read and written.
我主要对运行一个进程并确定它已经读取和写入的文件感兴趣。
EDIT: I want to do this programmatically from another process. I'm aware of ProcessMonitor, but I would like to receive the data in a form which I can import into another program for further analysis.
编辑:我想从另一个进程以编程方式执行此操作。我知道ProcessMonitor,但我希望以一种形式接收数据,我可以将其导入另一个程序以进行进一步分析。
EDIT: If I narrow down my requirements even further, it is probably enough to be able to monitor calls to CreateFile(). I'm really only interested in what files are opened, and if they are opened for read/write or just read. Another requirement which I didn't really state is that speed is fairly important; I was planning on doing this for things like compiling a C++-file, and pulling up a full GUI which generates a 20MB logfile will have prohibitive overhead.
编辑:如果我进一步缩小我的要求,它可能足以监视对CreateFile()的调用。我真的只对打开的文件感兴趣,如果打开它们进行读/写或只是阅读。我没有说明的另一个要求是速度相当重要;我正计划为编译C ++文件这样做,并且提取一个生成20MB日志文件的完整GUI会产生过高的开销。
EDIT: It would also be nice if it did not require administrative privileges.
编辑:如果它不需要管理权限也会很好。
7 个解决方案
#1
There are several options on Windows.
Windows上有几个选项。
Windows Performance Toolkit can be used to enable tracing of various system events, including file I/O, and includes tools for processing and viewing these events. You can use xperf to begin trace variously classes of events and save to an ETL file that you can then process or view using the same tools later.
Windows性能工具包可用于启用各种系统事件的跟踪,包括文件I / O,还包括用于处理和查看这些事件的工具。您可以使用xperf开始跟踪各种类型的事件并保存到ETL文件,然后您可以使用相同的工具处理或查看这些文件。
Process Monitor from SysInternals is another, very easy to use, option, and enables you to quickly see all file and registry accesses any process on the system is doing. http://blogs.msdn.com/carloc/archive/2008/10/31/how-to-automate-process-monitor.aspx also shows how to run Process Monitor in an automated fashion.
来自SysInternals的Process Monitor是另一个非常易于使用的选项,它使您能够快速查看系统上正在执行的任何进程的所有文件和注册表访问。 http://blogs.msdn.com/carloc/archive/2008/10/31/how-to-automate-process-monitor.aspx还展示了如何以自动方式运行Process Monitor。
If you'd like to do this completely programmatically, you can use the ETW functions (StartTrace, EnableTrace, etc.) to snap file I/O events and save to an ETL file. Sample code here.
如果您想以编程方式完成此操作,可以使用ETW函数(StartTrace,EnableTrace等)来捕获文件I / O事件并保存到ETL文件。示例代码在这里。
#2
On windows, you can use process monitor to monitor process activity (io and registry). I guess this fits your need if you are not really want to know the system calls.
在Windows上,您可以使用进程监视器来监视进程活动(io和注册表)。如果您不是真的想知道系统调用,我想这符合您的需求。
And you can use winapioverride32 to monitor api calls.
您可以使用winapioverride32来监控api呼叫。
#3
API Monitor by rohitab is very good for system calls
rohitab的API Monitor非常适合系统调用
#5
Another Windows API tracing tool: logexts.dll (part of the Debugging Tools for Windows), which can be run from inside WinDbg/ntsd/cdb or through a standalone logger.exe program.
另一个Windows API跟踪工具:logexts.dll(Windows调试工具的一部分),可以从WinDbg / ntsd / cdb内部运行,也可以通过独立的logger.exe程序运行。
#6
Another way is to use Deviare API Hook an intercept all user mode system calls that you want. Using this framework you can code a generic handler for all calls since the parameters can be read using COM interfaces (e.g.: each param is a INktParam and you can get the value using INktParam.Value).
另一种方法是使用Deviare API Hook拦截所需的所有用户模式系统调用。使用此框架,您可以为所有调用编写通用处理程序,因为可以使用COM接口读取参数(例如:每个参数是一个INktParam,您可以使用INktParam.Value获取值)。
Another alternative but it will cost some money is to use SpyStudio from the same company. This product has a command line option that is useful to collect logs without GUI.
另一个替代方案,但它将花费一些钱是使用同一家公司的SpyStudio。此产品具有命令行选项,可用于收集没有GUI的日志。
#7
How did nobody mention strace? Example output:
怎么没人提到strace?输出示例:
open(".", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY|O_CLOEXEC) = 3
fstat64(3, {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
fcntl64(3, F_GETFD) = 0x1 (flags FD_CLOEXEC)
getdents64(3, /* 18 entries */, 4096) = 496
getdents64(3, /* 0 entries */, 4096) = 0
close(3) = 0
fstat64(1, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f2c000
write(1, "autofs\nbackups\ncache\nflexlm\ngames"..., 86autofsA
#1
There are several options on Windows.
Windows上有几个选项。
Windows Performance Toolkit can be used to enable tracing of various system events, including file I/O, and includes tools for processing and viewing these events. You can use xperf to begin trace variously classes of events and save to an ETL file that you can then process or view using the same tools later.
Windows性能工具包可用于启用各种系统事件的跟踪,包括文件I / O,还包括用于处理和查看这些事件的工具。您可以使用xperf开始跟踪各种类型的事件并保存到ETL文件,然后您可以使用相同的工具处理或查看这些文件。
Process Monitor from SysInternals is another, very easy to use, option, and enables you to quickly see all file and registry accesses any process on the system is doing. http://blogs.msdn.com/carloc/archive/2008/10/31/how-to-automate-process-monitor.aspx also shows how to run Process Monitor in an automated fashion.
来自SysInternals的Process Monitor是另一个非常易于使用的选项,它使您能够快速查看系统上正在执行的任何进程的所有文件和注册表访问。 http://blogs.msdn.com/carloc/archive/2008/10/31/how-to-automate-process-monitor.aspx还展示了如何以自动方式运行Process Monitor。
If you'd like to do this completely programmatically, you can use the ETW functions (StartTrace, EnableTrace, etc.) to snap file I/O events and save to an ETL file. Sample code here.
如果您想以编程方式完成此操作,可以使用ETW函数(StartTrace,EnableTrace等)来捕获文件I / O事件并保存到ETL文件。示例代码在这里。
#2
On windows, you can use process monitor to monitor process activity (io and registry). I guess this fits your need if you are not really want to know the system calls.
在Windows上,您可以使用进程监视器来监视进程活动(io和注册表)。如果您不是真的想知道系统调用,我想这符合您的需求。
And you can use winapioverride32 to monitor api calls.
您可以使用winapioverride32来监控api呼叫。
#3
API Monitor by rohitab is very good for system calls
rohitab的API Monitor非常适合系统调用
#4
#5
Another Windows API tracing tool: logexts.dll (part of the Debugging Tools for Windows), which can be run from inside WinDbg/ntsd/cdb or through a standalone logger.exe program.
另一个Windows API跟踪工具:logexts.dll(Windows调试工具的一部分),可以从WinDbg / ntsd / cdb内部运行,也可以通过独立的logger.exe程序运行。
#6
Another way is to use Deviare API Hook an intercept all user mode system calls that you want. Using this framework you can code a generic handler for all calls since the parameters can be read using COM interfaces (e.g.: each param is a INktParam and you can get the value using INktParam.Value).
另一种方法是使用Deviare API Hook拦截所需的所有用户模式系统调用。使用此框架,您可以为所有调用编写通用处理程序,因为可以使用COM接口读取参数(例如:每个参数是一个INktParam,您可以使用INktParam.Value获取值)。
Another alternative but it will cost some money is to use SpyStudio from the same company. This product has a command line option that is useful to collect logs without GUI.
另一个替代方案,但它将花费一些钱是使用同一家公司的SpyStudio。此产品具有命令行选项,可用于收集没有GUI的日志。
#7
How did nobody mention strace? Example output:
怎么没人提到strace?输出示例:
open(".", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY|O_CLOEXEC) = 3
fstat64(3, {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
fcntl64(3, F_GETFD) = 0x1 (flags FD_CLOEXEC)
getdents64(3, /* 18 entries */, 4096) = 496
getdents64(3, /* 0 entries */, 4096) = 0
close(3) = 0
fstat64(1, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f2c000
write(1, "autofs\nbackups\ncache\nflexlm\ngames"..., 86autofsA