TraceEventSession and listen for file access
I am experimenting with TraceEventSession for a monitor like application.
The goal is to detect which files a given application accesses. According to my research, the following should work, but I get no events when notepad opens a file. Any insights to what I am doing wrong?
The goal is to detect which files a given application accesses. According to my research, the following should work, but I get no events when notepad opens a file. Any insights to what I am doing wrong?
Process process = new();
process.StartInfo.FileName = "notepad.exe";
process.Start();
var targetPid = process.Id;
Console.WriteLine($"Started process with PID: {targetPid}");
using (var session = new TraceEventSession("monitor_test"))
{
session.EnableKernelProvider(KernelTraceEventParser.Keywords.FileIOInit);
session.Source.Kernel.FileIORead += (data) =>
{
if (data.ProcessID == targetPid)
{
Console.WriteLine($"[File Open] Process {data.ProcessID} opened: {data.FileName}");
}
};
session.Source.Kernel.FileIOCreate += (data) =>
{
if (data.ProcessID == targetPid)
{
Console.WriteLine($"[File Create] Process {data.ProcessID} opened: {data.FileName}");
}
};
session.Source.Kernel.FileIOWrite += (data) =>
{
if (data.ProcessID == targetPid)
{
Console.WriteLine($"[File Write] Process {data.ProcessID} wrote to: {data.FileName}");
}
};
session.Source.Process(); Process process = new();
process.StartInfo.FileName = "notepad.exe";
process.Start();
var targetPid = process.Id;
Console.WriteLine($"Started process with PID: {targetPid}");
using (var session = new TraceEventSession("monitor_test"))
{
session.EnableKernelProvider(KernelTraceEventParser.Keywords.FileIOInit);
session.Source.Kernel.FileIORead += (data) =>
{
if (data.ProcessID == targetPid)
{
Console.WriteLine($"[File Open] Process {data.ProcessID} opened: {data.FileName}");
}
};
session.Source.Kernel.FileIOCreate += (data) =>
{
if (data.ProcessID == targetPid)
{
Console.WriteLine($"[File Create] Process {data.ProcessID} opened: {data.FileName}");
}
};
session.Source.Kernel.FileIOWrite += (data) =>
{
if (data.ProcessID == targetPid)
{
Console.WriteLine($"[File Write] Process {data.ProcessID} wrote to: {data.FileName}");
}
};
session.Source.Process();
