监视Windows中某个进程完成的某些系统调用 [英] Monitoring certain system calls done by a process in Windows

问题描述

我希望能够监视某个进程进行的某些系统调用，主要是文件I / O调用。在Linux上，我可以使用带有适当参数的 strace 逃脱，但是如何在Windows？

我主要是对运行一个进程并弄清它已读取和写入了哪些文件感兴趣。

<我想从另一个过程中以编程方式执行此操作。我知道 Process Monitor ，但是我希望以以下形式接收数据：我可以导入另一个程序进行进一步的分析。

如果我进一步缩小要求的范围，可能足以监视对CreateFile（）的调用。我真的只对打开哪些文件以及打开文件进行读取/写入还是仅读取感兴趣。我没有真正指出的另一个要求是 speed 相当重要；我正打算这样做，例如编译C ++文件，并拉出完整的GUI生成20 MB的日志文件，这会带来过高的开销。

解决方案

Windows上有多个选项。

Windows Performance Toolkit 可用于支持跟踪各种系统事件，包括文件I / O，并包括用于处理和查看这些事件的工具。您可以使用xperf开始跟踪各种事件类，并将其保存到ETL文件中，然后可以在以后使用相同的工具进行处理或查看。

进程监视器来自 Sysinternals 是另一个非常易于使用的选项，使您可以快速查看所有文件和注册表访问系统上正在执行的任何进程。 http：// blogs。 msdn.com/carloc/archive/2008/10/31/how-to-automate-process-monitor.aspx 还显示了如何以自动化方式运行Process Monitor。

如果您想完全以编程方式执行此操作，则可以使用ETW函数（StartTrace，EnableTrace等）来捕捉文件I / O事件并保存到ETL文件中。示例代码此处。

I would like to be able to monitor certain system calls made by a process, primarily file I/O calls. On Linux I can probably get away using strace with suitable parameters, but how can I do this on Windows?

I'm primarily interested in running a process and figuring out which files it has read and written.

I want to do this programmatically from another process. I'm aware of Process Monitor, but I would like to receive the data in a form which I can import into another program for further analysis.

If I narrow down my requirements even further, it is probably enough to be able to monitor calls to CreateFile(). I'm really only interested in what files are opened, and if they are opened for read/write or just read. Another requirement which I didn't really state is that speed is fairly important; I was planning on doing this for things like compiling a C++-file, and pulling up a full GUI which generates a 20 MB logfile will have prohibitive overhead.

It would also be nice if it did not require administrative privileges.

解决方案

There are several options on Windows.

Windows Performance Toolkit can be used to enable tracing of various system events, including file I/O, and includes tools for processing and viewing these events. You can use xperf to begin trace variously classes of events and save to an ETL file that you can then process or view using the same tools later.

Process Monitor from Sysinternals is another, very easy to use, option, and enables you to quickly see all file and registry accesses any process on the system is doing. http://blogs.msdn.com/carloc/archive/2008/10/31/how-to-automate-process-monitor.aspx also shows how to run Process Monitor in an automated fashion.

If you'd like to do this completely programmatically, you can use the ETW functions (StartTrace, EnableTrace, etc.) to snap file I/O events and save to an ETL file. Sample code here.

这篇关于监视Windows中某个进程完成的某些系统调用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！