All geek questions in one place

C # copied files

I am trying to track files that are copied by users and other applications. FileSystemWatch only has events for Modified, Created, Deleted, Posted, Erroneous and Renamed. It does not fire an event when a copy function accesses a file or where a new file is copied.

Is there a way to monitor an event / copy function from a window?

+6
source share
4 answers

I do not know how to use C #.

You can do this if you want to write File Filter Filter Driver . [Definitely an expert area, as there is an opportunity to corrupt files and / or lower your system]

A file system filter driver intercepts requests that target a system file or other file system filter driver. By intercepting a request before it reaches its intended purpose, the filter driver can extend or replace the functionality provided by the original target of the request. Examples of file system filter drivers include antivirus filters, backup agents, and encryption products. To develop file systems and file system filter drivers, use IFS (Installable File System), which comes with the Windows Driver Kit (WDK).

+4
source

You are doing the right thing with FileSystemWatcher . Windows does not have a built-in mechanism for reliable reporting.

You can connect the OS copy routine, but this does not guarantee good results: applications can freely implement their own copy by simply opening the source and target files and copying the bytes.

Renaming is different from the fact that renaming performed by the operating system cannot be easily mimicked by other means, so you can intercept all renaming with FileSystemWatcher . Note that moving between disks is more like a copy: you will not receive a renamed notification, but instead create and delete it.

So, if you really need to notice that the file is being copied, my suggested approach is this:

  • Hook calls CloseFile in addition to FileSystemWatcher .
  • Whenever a file is closed, it may be due to the fact that it or the source of the copy or cross-move is moved. Check its size.
  • If you find two closed files with the same size in a fairly short period of time, compare the content. Quite resource-intensive, but the only reliable way to do this.
+1
source

You can use the file and folder access audit function , which records an event log entry, and you can configure programs to run when such an event occurs

0
source

I can't think of anything good.

For each newly created file, you need to check if there is an exact duplicate in the file system (possibly with a different name). You could obviously make that brute force, but the decision would be very inelegant, slow and fragile!

0
source

Source: https://habr.com/ru/post/905325/

More articles:


All Articles