Inside NT Utilities

Since I began exploring the internal structure and functioning of Windows NT, I've discovered ways to improve the OS's performance and to fill holes in its built-in functionality. As I've delved ever deeper into NT's internals, I've developed monitoring tools, performance-related tools, and recovery tools. This month, I'll acquaint you with a few of these powerful utilities, which you can use to learn more about NT's inner workings and perhaps even to troubleshoot problems you encounter. I'll describe what these utilities do and how you can use them to solve problems, and I'll briefly discuss how they work internally. The tools are Filemon, a file-system monitor; Regmon, a Registry monitor; HandleEx, a DLL and open-handle viewer; NTFSDOS, an NTFS file system driver; and NewSID, a security ID (SID)-changing tool. All the tools are available for free download from Systems Internals (http://www.sysinternals.com), the Web site I developed in collaboration with Bryce Cogswell. Many of these tools include full source code.

Filemon
Have you ever wondered what files applications are accessing when you hear your disk drive start up during otherwise idle periods? Maybe you've tried to run an application and received a vague error message that the application didn't install properly or is unable to find a required file. Filemon for NT lets you see precisely which files and directories applications are accessing or trying to access. Filemon monitors file system activity on logical drives (e.g., C, D) you specify, including 3.5" disk drives, hard disk drives, CD-ROM drives, and even network drives. Monitoring begins when you launch Filemon, and each file system access that takes place while Filemon is monitoring displays on a separate line in Filemon's output window, as Screen 1, page 56 shows. You can use the scroll bars to navigate forward and backward through Filemon. You can also use toolbar buttons or menu commands to save a trace to a file, start and stop monitoring, select drives that you want Filemon to monitor, and cancel the selection of drives.

The Filemon display divides each access record into fields. Filemon's fields include the sequence number assigned to a record, timing information related to the access, name of the process that performed the access, full path of the accessed file or directory, result of the access, and supplementary information related to the access. As accesses take place, Filemon assigns them unique sequence numbers. These sequence numbers help you to navigate through records when you scroll up and down in the display and let you know when the rate of file system activity causes Filemon's internal buffers to overflow. Filemon drops records when its buffers are full (a rare occurrence); a gap in sequence numbers in the output signals such an event.

Filemon's timing features let you specify whether you want to see the time at which file accesses occur or the duration of an access. Measuring duration is helpful if you're developing a program for which file system performance is an important factor in overall performance. For example, to improve Excel's performance, Microsoft used Filemon to compare the time Excel 2000 spent executing file I/O across versions with different optimizations.

Filemon's Result field can provide insight when you're trying to determine why an application won't start or is misbehaving. Most requests will display a status of SUCCESS, which means the file system driver successfully carried out the operation. FILE NOT FOUND and NO SUCH FILE status codes can be red flags that identify which files and directories an application expects to find but doesn't. However, many times, what appear to be errors in Filemon's output are expected behavior. For example, when you type the name of a program at a command prompt, the system will search through the directories in your PATH environment variable for the program's file. If your command prompt isn't in the directory that contains the file, typing the program's name at the prompt will result in NT trying and failing to open the file in various PATH directories until it finds the directory in which the file resides.

Filemon's Other field displays information specific to different file system requests. For read and write operations, Filemon informs you of the offset into the file that an application read from or wrote to and the length of the access. Lock requests show you the range of the file an application locks, and file attributes print for requests that query or set a file's attributes.

Filemon has powerful advanced filtering capabilities. You can configure filters that result in the logging of accesses particular processes make or of accesses that refer to only specific files or directories. You can use Filemon filtering to isolate file system activity that is related to files or applications you're troubleshooting or learning about. When you use Filemon, you might be surprised to discover the presence of applications on your system that constantly perform file I/O. One example is antivirus programs that check their virus definition files one or more times per second for new information. Filemon remembers filters across executions, so you can command Filemon to ignore monotonous background activity, such as antivirus-program polling.