How does the Process Monitor from Sysinternals monitor file IO activity like it does? If you enable the advanced information, you can see that calls that were previously shown as CreateFile are now shown as IRP_MJ_CREATE which suggests that it hooks some rather low level stuff. Does anyone know exactly what it hooks/how it works?
Asked
Active
Viewed 3,092 times
3
-
It is my understanding that a kernel mode driver is used/required to do what Process Monitor does. – driis Jan 03 '11 at 09:10
-
Where could I learn how to write one? – John Zane Jan 03 '11 at 09:13
-
2Process Monitor needs no install so I'd be surprised if it actually installs a filter driver or something. As to your question where you can learn this. Would like to know myself, but so far I've looked at this book: http://www.amazon.com/Windows-System-Internals-Classic-Reprints/dp/0976717514/ref=sr_1_1?ie=UTF8&qid=1297344046&sr=8-1 that may shed some light – Hannes de Jager Feb 10 '11 at 13:21
