 |
| Copyright © 1998-1999 Mark Russinovich |
Last Updated
October 14, 1999 v1.1
|
| Introduction |
Diskmon is a Windows NT
device driver/GUI combination that together log and display all process
activity on a Windows NT/2000 system. You can also minimize Diskmon to
your system tray where it acts as a disk light, presenting a green icon when
there is disk-read activity and a red icon when there is disk-write activity.
Diskmon works on NT 4.0 and
Windows 2000. |
| Installation and Use |
Installing Diskmon is as
easy as unzipping it and typing, "diskmon." The GUI dynamically loads
the driver (based on code from the instdrv sample in the Windows NT DDK), which
begins monitoring all hard drives. The menus and toolbar buttons can be used to
disable event capturing, control the scrolling of the listview, and to save the
listview contents to an ASCII file.
To have Diskmon function as
a disk light in your system tray, select the Options|Minimize to Tray menu
item, or start Diskmon with a "/l" command-line switch e.g.
diskmon /l. To reactivate the Diskmon window double-click on the
Diskmon tray icon.
Read and write offsets are
presented in terms of sectors (512 bytes). Events can be either timed for their
duration (in microseconds), or stamped with the absolute time that they were
initiated. The History Depth dialog can be used to specify the maximum number
of records that will be kept in the GUI (0 signifies no limit).
|
| Sample Screenshot |
This is a screenshot
of Diskmon watching hard disk activity. |
| Implementation
|
Using standard filtering
techniques it is not possible for a dynamically loaded driver like
Diskmon to attach to hard disk device objects and see requests
originating in file systems.This is because file system drivers open disk
devices during system initialization and, unlike the I/O Manager, file system
drivers send IRPs directly at these devices. The I/O Manager allows for file
system filter drivers to attach to file system devices after initialization
because it checks for attached devices whenever it is going to send an Irp to a
file system, and will direct the Irps to them instead.
Diskmon overcomes this
limitation by using the technique I've developed of driver function
interception. Diskmon locates a disk device's driver object and replaces
the driver's dispatch entry points with its own. The Diskmon filter
functions pass Irps it sees onto the hooked driver, and also intercepts
completion routines in a similar way so that it can see the results of
requests.
. |
Download Diskmon (41KB)
|
 |