The FileSpy is a GUI application for the FSpy.sys or MSpy.sys, a monitoring filter driver shipped with the WDK. Its functionality is similar to the famous Filemon tool from Mark Russinovich (http://www.sysinternals.com). FileSpy is an aplication written as support to the developers, who need to monitor file system activity.
Comparing to Filemon, it contains some more functions:
- Extended logging of IRP and Fast I/O requests
- Advanced filtering by path, process, IRP code, Fast I/O code or operation result
- Ability to monitor "exotic" file systems and network redirectors using is ability to attach by device name
- Ability to watch requests from newly created processes
- Ability to monitor newly mounted volumes (e.g. USB drives)
- Ability to monitor FSD control devices. It is possible to see the IRP_MN_MOUNT_VOLUME request
- Ability to sort requests by issuing time or completion time
- Watching documented (and even some undocumented) IOCTL requests, with online decoding (device type, method etc.)
- FileSpy can be executed even by normal authenticated user, if the kernel mode service is already running
- User can choose driver (legacy FS filter FSpy.sys, minifilter MSpy.sys or minifilter FileTrace.sys)
- Filespy can be executed before user logon.
- Filespy can log changes to the NTFS volume using USN Journal.
FileSpy - 64-bit software