how to create a file sytem monitor to catch every change made to a file

Question

I want to create a file system monitor which will notify whenever a change is made to any file on the file system, especially a write, new file creation or rename.

I have done research, and found stuff like FindFirstChangeNotification function, pyinotify

How to access the log and use it to do the above?

Any file change will be then used by the software for further calculations, how to go about?

Platform : Windows(priority), Linux

This is way too broad. Those two platforms are totally different. What you need to do is write a driver. — David Heffernan, Mar 13 '13 at 21:21
can you please give me a way to do it only for windows....jus the way to go about it — user2167337, Mar 13 '13 at 21:23
You need to write a driver. First step is to learn about that. — David Heffernan, Mar 13 '13 at 21:25
Not really. That will allow you to watch a single folder. And it's not robust. You won't pick up all modifications. You can't expect to watch all folders. — David Heffernan, Mar 13 '13 at 21:35

jleahy · Answer 1 · 2013-03-13T21:46:25.367

2

You should have a look at watchdog, it's a python library for monitoring file systems and works on both Linux and Windows.

import time from watchdog.observers import Observer from watchdog.events import LoggingEventHandler

if __name__ == "__main__":
    event_handler = LoggingEventHandler()
    observer = Observer()
    # you may need to use path='c:\' for windows below
    observer.schedule(event_handler, path='/', recursive=True)
    observer.start()
    try:
        while True:
            time.sleep(1)
    except KeyboardInterrupt:
        observer.stop()
    observer.join()

You would want to replace LoggingEventHandler with your own class which derives from FileSystemEventHandler, implementing on_created, on_modified, etc.

Finally please note that watching every file on the entire system may lead you into scalability issues. You'd be better to try and narrow down what you want to monitor.

edited Mar 13 '13 at 21:46

answered Mar 13 '13 at 21:30

jleahy

14,060
5
41
63

I can't imagine that could observe every single file system event across an entire system. Or could it? – David Heffernan Mar 13 '13 at 21:37
It can, if you set path='/' and recursive=True it'll do just that. Internally it's recursively walking the whole filesystem and setting a monitor up for each file and directory. When new files and directories are created it detects this and adds more monitors. – jleahy Mar 13 '13 at 21:39
I can't believe that would be viable. A separate monitor for every object in the file system. – David Heffernan Mar 13 '13 at 21:40
It's non-ideal, but very much workable. The scalability issues are discussed in detail here: http://stackoverflow.com/questions/535768/what-is-a-reasonable-amount-of-inotify-watches-with-linux – jleahy Mar 13 '13 at 21:44
Not sure I would call that workable at all. In comparison to the trivial overhead of a filter at the driver level. – David Heffernan Mar 13 '13 at 21:47
1

If it works for his application, I'd say that's *far* more trivial than writing a driver. – Kirk Strauser Mar 13 '13 at 22:03
I agree with David Hefferman, no application/library that works in user mode could not things that kernel mode drivers do. – Xearinox Mar 13 '13 at 22:04
Also from watchdog doc I assume for Windows use ReadDirectoryChanges wrapper. So many notifications from AV soft or malware will be hidden. – Xearinox Mar 13 '13 at 22:09

how to create a file sytem monitor to catch every change made to a file

1 Answers1