When you’re having problems with your server, it’s sometimes difficult to figure out which applications are processing which files. The Task Manager tells you only so much—and not always what you need to know to fix the problem. Sysinternals’ Filemon utility can help. Filemon gives you detailed, real-time information that you can use to troubleshoot system or application file configuration problems. In this Daily Feature, I’ll show you how to use Filemon to track file system activity.

Acquiring Filemon
Sysinternals distributes freeware system utilities via the Web in order to promote its sibling company, Winternals Software. Filemon is one of the many fine utilities you can download from the Sysinternals Web site.

You’ll have four choices when downloading the file. You can choose to download versions for Windows 9x, Windows NT/2000/XP, Windows XP/64, and Windows NT Alpha. Because I’ll explain how to run Filemon on a Windows 2000 Server, we’ll select the WinNT/2000/XP link. The file, Ntfilmon.zip, is a mere 78.9 KB in size and arrives in the form of a Zip file, which you must unzip. There are six files contained in the Zip archive. Since there isn’t a Setup.exe file included in the archive, you’ll have to set up the utility manually. Actually, there isn’t much to the setup process—just make sure that all six files are in the same folder. You can run the utility from any drive.

Running Filemon
When you’re ready to run Filemon, just double-click the Filemon.exe icon. When you do, you’ll see a screen similar to the one shown in Figure A. This is the main Filemon screen.

Figure A
The main Filemon screen displays a constantly scrolling list of the files being accessed.

The first thing that you’ll probably notice is the level of activity. The main Filemon screen displays a constantly scrolling list of the files being accessed. Notice that the screen is divided into several columns. The first column, marked with the pound sign, indicates the sequence number. The next columns indicate the time that the operation occurred, the process that initiated the action, the actual type of request, the path and/or filename involved in the action, and the result of the action. There’s also a column labeled Other that sometimes provides a brief but helpful description of what just happened.

The Options menu
As you’ve no doubt noticed in the figure, Filemon can give you too much information to handle effectively. In fact, if you look at the Time column in the figure, you’ll see that all of the logged activity on the screen occurred within about three seconds. The key to making all this information useful is to set the appropriate data collection options.

The first thing that you’ll probably want to set is the way Filemon displays the data. If you open the Options menu, you’ll see that the Auto Scroll option is selected by default. There’s also an Always On Top option that you can use to keep the Filemon window visible at all times. This option is handy if you’re trying to diagnose a problem and want to see exactly what’s happening while you try to reproduce the problem.

There are also options for displaying milliseconds and time duration. If you choose to display the time duration, Filemon will display the amount of time that each event took to complete rather than the time at which the event occurred. For example, instead of seeing 6:43 AM, you’ll see 0.00001034. The one thing that you need to know about setting the time options is that, like most of the other options in this utility, the settings don’t apply to previously captured data; only newly captured data is displayed using your newly selected options.

The Drives menu
Another way to control what Filemon displays and the amount of data it collects is by choosing the drives it will monitor. By default, Filemon monitors the C: drive as well as the drive on which it is installed. However, those aren’t your only options. You can select both local and network drives individually or in any combination. There are also All Drives and No Drives options that you can use to expedite the selection process. Filemon even supports the collection of data flowing through named pipes and mail slots.

The Edit menu
The Edit menu offers several options for dealing with the data that you’ve collected. One of the useful options is the History Depth option. This option allows you to set how many log entries you want to keep on hand. The default option is 0, which indicates no limit. However, if you’re concerned about running out of disk space, you might consider setting a limit.

Some of the items on the Edit menu are purely cosmetic, such as the Font option and the Highlight Color option. However, others are more useful. For example, you can use the Find option to locate a specific piece of information in your log files.

Perhaps the most useful option on this menu is the Filter/Highlight option. The filter allows you to control exactly what data will be displayed. The default filter is *, which is a wildcard you can use to show everything.

There are two basic types of filters: Include filters and Exclude filters. The Include filters tell Filemon to display only the items matching the filter that you’ve specified. The Exclude filters tell Filemon to display everything except what you’ve specified. You can also use the Include and Exclude filters together to display very specific information. For example, if you were to set the Include filter to C:\Winnt and the Exclude filter to C:\Winnt\System32, Filemon would show only disk activity occurring in the C:\Winnt folder and its subfolders but wouldn’t display anything occurring in the System32 subfolder.

The Filter/Highlight option also contains a Highlight field. This field allows you to highlight any occurrence of a value that you specify. For example, you could tell Filemon to highlight any log entries involving the C:\Winnt folder.

Saving your data
The Save As option on the File menu lets you save the data that you’ve collected for future reference as a tab-delimited log file. You can view the log file in Notepad, or you can import it into an Excel spreadsheet for easy viewing, searching, and printing. With this information, you can determine which program or process is causing problems on your server. From there, you can deal directly with the troublesome program rather than relying on guesswork.