I need a low-level method for monitoring the input / output of a Windows process.
I received some helpful answers for monitoring specific system calls made by a process on Windows . The most promising was the use of the Windows Performance Toolkit to get trace of kernel events. All the necessary information can really be pulled from there, but WPT is a massive excess for what I need, and subsequently has excessive costs.
My idea was to implement an alternative approach to detecting C / C ++ dependency graphs. This is usually done by passing an option to the compiler (for example, -M). This is great for compilers and tools that have this option, but not all of them, as well as those who often implement them differently. So, I applied an alternative way to do this on Linux using strace to determine which files are open. Thus, running gcc (for example) has 50% overhead (figure), and I was hoping to figure out a way to do this on windows with similar overhead.
The xperf toolkit has two problems that prevent me from using them in this case:
- Unable to track file I / O events for a single process; I have to use kernel event tracking, which tracks every single process and thus generates a huge amount of data (15 MB for the time it takes to start gcc, YMMV).
- As a result of using kernel event tracing, I have to start as an administrator.
I really don't need kernel level events; I believe that I could do just as well if I could just control, say, the Win32 API, call CreateFile () and possibly CreateProcess () if I want to catch forked processes.
Any smart ideas?
source
share