监视由 Windows 中的进程完成的某些系统调用 [英] Monitoring certain system calls done by a process in Windows

问题描述

我希望能够监视进程发出的某些系统调用，主要是文件 I/O 调用.在 Linux 上，我可能可以使用带有合适参数的 strace 逃脱，但我如何在 Windows 上做到这一点?

我的主要兴趣在于运行一个进程并找出它读取和写入了哪些文件.

我想从另一个进程以编程方式执行此操作.我知道 Process Monitor，但我想以我想要的形式接收数据可以导入到另一个程序中进行进一步分析.

如果我进一步缩小我的要求，那么能够监视对 CreateFile() 的调用可能就足够了.我真的只对打开的文件感兴趣，以及是否打开它们进行读/写或只读.我没有真正说明的另一个要求是速度相当重要；我计划为诸如编译 C++ 文件之类的事情执行此操作，并且拉出一个完整的 GUI 来生成一个 20 MB 的日志文件将具有令人望而却步的开销.

如果不需要管理权限就好了.

解决方案

Windows 上有几个选项.

Windows Performance Toolkit 可用于启用跟踪各种系统事件，包括文件 I/O，并包括用于处理和查看这些事件的工具.您可以使用 xperf 开始跟踪各种类型的事件并将其保存到 ETL 文件中，然后您可以稍后使用相同的工具处理或查看该文件.

进程监视器来自 Sysinternals 是另一个非常易于使用的选项，它使您能够快速查看系统上任何进程的所有文件和注册表访问正在做.您还可以以自动化方式运行进程监视器..>

如果您想完全以编程方式执行此操作，您可以使用 ETW 函数(StartTrace、EnableTrace 等)来捕捉文件 I/O 事件并保存到 ETL 文件.示例代码此处.

I would like to be able to monitor certain system calls made by a process, primarily file I/O calls. On Linux I can probably get away using strace with suitable parameters, but how can I do this on Windows?

I'm primarily interested in running a process and figuring out which files it has read and written.

I want to do this programmatically from another process. I'm aware of Process Monitor, but I would like to receive the data in a form which I can import into another program for further analysis.

If I narrow down my requirements even further, it is probably enough to be able to monitor calls to CreateFile(). I'm really only interested in what files are opened, and if they are opened for read/write or just read. Another requirement which I didn't really state is that speed is fairly important; I was planning on doing this for things like compiling a C++-file, and pulling up a full GUI which generates a 20 MB logfile will have prohibitive overhead.

It would also be nice if it did not require administrative privileges.

解决方案

There are several options on Windows.

Windows Performance Toolkit can be used to enable tracing of various system events, including file I/O, and includes tools for processing and viewing these events. You can use xperf to begin trace variously classes of events and save to an ETL file that you can then process or view using the same tools later.

Process Monitor from Sysinternals is another, very easy to use, option, and enables you to quickly see all file and registry accesses any process on the system is doing. You can also run Process Monitor in an automated fashion.

If you'd like to do this completely programmatically, you can use the ETW functions (StartTrace, EnableTrace, etc.) to snap file I/O events and save to an ETL file. Sample code here.

这篇关于监视由 Windows 中的进程完成的某些系统调用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！