2

I am subscribing to the Kernel ETW Events using https://www.nuget.org/packages/Microsoft.Diagnostics.Tracing.TraceEvent/.

Is it possible to monitor file rename so that I know what was the previous and new file path?

I thought that it would simple require hooking to the FileIORename event, but the payload (FileIOInfoTraceData) contains only the previous file path in the FileName property.

kernelSession.Source.Kernel.FileIORename += FileIORename
...

private void OnFileIORename(FileIOInfoTraceData data)
{
    var prevFilePath = data.FileName;
    var newFilePath = ?
    ...
}
Pellared
  • 1,242
  • 2
  • 14
  • 29
  • According to the docs https://learn.microsoft.com/en-us/windows/desktop/ETW/fileio-simpleop you should correlate FileObject events with the same FileObject address. Before that you should have got some IO operation for the same file object with the old file name which should give you all you need. – Alois Kraus Dec 18 '18 at 23:17

1 Answers1

0

My solution in to use the FileIOFSControl event to get the new file name, I am using the FileKey property to link between the FileIORename event and the FileIOFSControl event.

Complete code in VB.NET

Imports System.IO

Imports Microsoft.Diagnostics.Tracing.Parsers
Imports Microsoft.Diagnostics.Tracing.Session
Imports Microsoft.Diagnostics.Tracing.Parsers.Kernel

Module Module1

    Private _etwSessionID As String
    Private _etwSession As TraceEventSession
    Private lstEvents As List(Of FileIOTraceEvent)

    Sub Main()

        lstEvents = New List(Of FileIOTraceEvent)

        _etwSessionID = "TestSession"

        _etwSession = New TraceEventSession(_etwSessionID) With {.StopOnDispose = True}
        _etwSession.EnableKernelProvider(KernelTraceEventParser.Keywords.DiskFileIO Or KernelTraceEventParser.Keywords.FileIO Or KernelTraceEventParser.Keywords.FileIOInit)

        AddHandler _etwSession.Source.Kernel.FileIORename, AddressOf FileIOTrace
        AddHandler _etwSession.Source.Kernel.FileIOFSControl, AddressOf FileIOTrace

        _etwSession.Source.Process()

        Console.Read()

    End Sub

    Private Sub FileIOTrace(data As FileIOInfoTraceData)

        Try

            If data.EventName = FileIOTraceEvent.EVENT_NAME_FILEIO_RENAME Then
                lstEvents.Add(New FileIOTraceEvent(data.ID, data.TimeStamp, data.EventName, data.ProcessID, data.ProcessName, data.FileName, data.FileKey))

            ElseIf data.EventName = FileIOTraceEvent.EVENT_NAME_FILEIO_FSCONTROL Then

                Dim fileEvent = lstEvents.FirstOrDefault(Function(ev) ev.EventName = FileIOTraceEvent.EVENT_NAME_FILEIO_RENAME AndAlso ev.FileKey = data.FileKey)

                If fileEvent IsNot Nothing Then
                    fileEvent.NewFileName = Path.GetFileName(data.FileName)
                    Console.WriteLine(fileEvent.ToString)
                End If

            End If

        Catch ex As Exception
        End Try

    End Sub

#Region "Classes"

    Private Class FileIOTraceEvent

#Region "Public Members"

        ''' <summary>
        ''' Event ID
        ''' </summary>
        Public ID As UShort

        ''' <summary>
        ''' Event date
        ''' </summary>
        Public Timestamp As Date

        ''' <summary>
        ''' Event name
        ''' </summary>
        Public EventName As String

        ''' <summary>
        ''' The process ID that raised the event
        ''' </summary>
        Public ProcessID As Integer

        ''' <summary>
        ''' The process name that raised the event
        ''' </summary>
        Public ProcessName As String

        ''' <summary>
        ''' File full path
        ''' </summary>
        Public FilePath As String

        ''' <summary>
        ''' The new file name
        ''' </summary>
        Public NewFileName As String

        Public FileKey As ULong

#End Region

#Region "Public Methods"

        Public Sub New(id As UShort, timestamp As Date, eventName As String, processID As Integer, processName As String, filePath As String, fileKey As ULong)

            Me.ID = id
            Me.Timestamp = timestamp
            Me.EventName = eventName
            Me.ProcessID = processID
            Me.ProcessName = processName
            Me.FilePath = filePath
            Me.FileKey = fileKey

        End Sub

        Public Overrides Function ToString() As String
            Return String.Concat("Event ID: ", ID, ", Date: ", Timestamp, ", Event Name: ", EventName, ", File Path: ", FilePath, ", New File Name: ", NewFileName)
        End Function

#End Region

#Region "Constants"

        Public Const EVENT_NAME_FILEIO_RENAME = "FileIO/Rename"
        Public Const EVENT_NAME_FILEIO_DELETE = "FileIO/Delete"
        Public Const EVENT_NAME_FILEIO_WRITE = "FileIO/Write"
        Public Const EVENT_NAME_FILEIO_SETINFO = "FileIO/SetInfo"
        Public Const EVENT_NAME_FILEIO_CREATE = "FileIO/Create"
        Public Const EVENT_NAME_FILEIO_FSCONTROL = "FileIO/FSControl"

#End Region

    End Class

#End Region

End Module
Ahmed Osama
  • 348
  • 1
  • 9