can processhacker plugin support individual file op ？

[yangjian123]

I am a heavy user of processhack, sometimes i need to analysis file operation(read,write), Hope processhack can have such a plugin

[dmex]

winsiderss/systeminformer#749

[yangjian123]

hi, dmex, do you know why EventRecord->EventHeader->ProcessId and EventRecord->EventHeader->ThreadId always -1 in windows7 on file io event . i modify the etwmon.c code as below, and the question still exist, can dmex have idea about this?

` EtpTraceProperties->Wnode.BufferSize = bufferSize;

    EtpTraceProperties->Wnode.Guid = *EtpActualSessionGuid;

    EtpTraceProperties->Wnode.ClientContext = 1;

    EtpTraceProperties->Wnode.Flags = WNODE_FLAG_TRACED_GUID;

    EtpTraceProperties->MinimumBuffers = 1;

    EtpTraceProperties->LogFileMode = EVENT_TRACE_REAL_TIME_MODE;

    EtpTraceProperties->FlushTimer = 1;

    EtpTraceProperties->EnableFlags = EVENT_TRACE_FLAG_DISK_IO | EVENT_TRACE_FLAG_DISK_FILE_IO | EVENT_TRACE_FLAG_NETWORK_TCPIP|EVENT_TRACE_FLAG_FILE_IO| EVENT_TRACE_FLAG_FILE_IO_INIT| EVENT_TRACE_FLAG_PROCESS | EVENT_TRACE_FLAG_THREAD;

    EtpTraceProperties->LoggerNameOffset = sizeof(EVENT_TRACE_PROPERTIES);`

[dmex]

ThreadId always -1

You ignore these for the ID included in the event message.

[yangjian123]

where can we get the correct process id and threadid? can dmex supply some helps ?

[dmex]

The kernel generally returns files to the application from cache not disk. components like superfetch speculatively load files before the process is created so when the ID is zero you default to processId 4 for system.

[yangjian123]

hi,dmex,do you have any update?