1. 函数FindFirstChangeNotification和FindNextChangeNotification
2. 系统核心工具软件,比如FileMon(文件监视),开放源代码
3. Hook API,钩住CreateFile函数,分析其参数,借此来判断是创建文件还是读写文件;钩住DeleteFile函数,监视文件删除操作;钩住CreateDirectory和RemoveDirectory,借此判断是否是删除文件;钩住回收站相关函数,借此判断是否是移动到回收站。
FindFirstChangeNotification Function
Creates a change notification handle and sets up initial change notification filter conditions. A wait on a notification handle succeeds when a change matching the filter conditions occurs in the specified directory or subtree. The function does not report changes to the specified directory itself.
This function does not indicate the change that satisfied the wait condition. To retrieve information about the specific change as part of the notification, use the ReadDirectoryChangesW function.
HANDLE WINAPI FindFirstChangeNotification(
__in LPCTSTR lpPathName,
__in BOOL bWatchSubtree,
__in DWORD dwNotifyFilter
The path of the directory to be watched.
In the ANSI version of this function, the name is limited to MAX_PATH characters. To extend this limit to 32,767 wide characters, call the Unicode version of the function and prepend "\\?\" to the path. For more information, see Naming a File.
If this parameter is TRUE, the function monitors the directory tree rooted at the specified directory; if it is FALSE, it monitors only the specified directory.
The filter conditions that satisfy a change notification wait. This parameter can be one or more of the following values.
ReadDirectoryChangesW Function
Retrieves information that describes the changes within the specified directory. The function does not report changes to the specified directory itself.
To track changes on a volume, see change journals.
BOOL WINAPI ReadDirectoryChangesW(
__in HANDLE hDirectory,
__out LPVOID lpBuffer,
__in DWORD nBufferLength,
__in BOOL bWatchSubtree,
__in DWORD dwNotifyFilter,
__out_opt LPDWORD lpBytesReturned,
__inout_opt LPOVERLAPPED lpOverlapped,
hDirectory [in]
A handle to the directory to be monitored. This directory must be opened with the FILE_LIST_DIRECTORY access right.
lpBuffer [out]
A pointer to the DWORD-aligned formatted buffer in which the read results are to be returned. The structure of this buffer is defined by the FILE_NOTIFY_INFORMATION structure. This buffer is filled either synchronously or asynchronously, depending on how the directory is opened and what value is given to the lpOverlapped parameter. For more information, see the Remarks section.
nBufferLength [in]
The size of the buffer that is pointed to by the lpBuffer parameter, in bytes.
bWatchSubtree [in]
If this parameter is TRUE, the function monitors the directory tree rooted at the specified directory. If this parameter is FALSE, the function monitors only the directory specified by the hDirectory parameter.
dwNotifyFilter [in]
The filter criteria that the function checks to determine if the wait operation has completed. This parameter can be one or more of the following values.
lpBytesReturned [out, optional]
For synchronous calls, this parameter receives the number of bytes transferred into the lpBuffer parameter. For asynchronous calls, this parameter is undefined. You must use an asynchronous notification technique to retrieve the number of bytes transferred.
lpOverlapped [in, out, optional]
A pointer to an OVERLAPPED structure that supplies data to be used during asynchronous operation. Otherwise, this value is NULL. The Offset and OffsetHigh members of this structure are not used.
lpCompletionRoutine [in, optional]
A pointer to a completion routine to be called when the operation has been completed or canceled and the calling thread is in an alertable wait state. For more information about this completion routine, see FileIOCompletionRoutine.
下面的示例创建一个 FileSystemWatcher,以便在运行时监视指定的目录。组件设置为监视 LastWrite 和 LastAccess 时间方面的更改,以及目录中文本文件的创建、删除或重命名。如果更改、创建或删除文件,文件路径将被输出到控制台。在文件重命名后,旧路径和新路径都输出到控制台。在此示例中使用 System.Diagnostics 和 System.IO 命名空间。
public ref class Watcher { private: // Define the event handlers. static void OnChanged( Object^ /*source*/, FileSystemEventArgs^ e ) { // Specify what is done when a file is changed, created, or deleted. Console::WriteLine( "File: {0} {1}", e->FullPath, e->ChangeType ); } static void OnRenamed( Object^ /*source*/, RenamedEventArgs^ e ) { // Specify what is done when a file is renamed. Console::WriteLine( "File: {0} renamed to {1}", e->OldFullPath, e->FullPath ); } public: [PermissionSet(SecurityAction::Demand, Name="FullTrust")] int static run() { array<String^>^args = System::Environment::GetCommandLineArgs(); // If a directory is not specified, exit program. if ( args->Length != 2 ) { // Display the proper way to call the program. Console::WriteLine( "Usage: Watcher.exe (directory)" ); return 0; } // Create a new FileSystemWatcher and set its properties. FileSystemWatcher^ watcher = gcnew FileSystemWatcher; watcher->Path = args[ 1 ]; /* Watch for changes in LastAccess and LastWrite times, and the renaming of files or directories. */ watcher->NotifyFilter = static_cast<NotifyFilters>(NotifyFilters::LastAccess | NotifyFilters::LastWrite | NotifyFilters::FileName | NotifyFilters::DirectoryName); // Only watch text files. watcher->Filter = "*.txt"; // Add event handlers. watcher->Changed += gcnew FileSystemEventHandler( Watcher::OnChanged ); watcher->Created += gcnew FileSystemEventHandler( Watcher::OnChanged ); watcher->Deleted += gcnew FileSystemEventHandler( Watcher::OnChanged ); watcher->Renamed += gcnew RenamedEventHandler( Watcher::OnRenamed ); // Begin watching. watcher->EnableRaisingEvents = true; // Wait for the user to quit the program. Console::WriteLine( "Press \'q\' to quit the sample." ); while ( Console::Read() != 'q' ) ; } }; int main() { Watcher::run(); }FileSyncProvider是同步的同步提供程序,它可用于同步 NTFS、FAT 或 SMB 文件系统中的文件、文件夹和子文件夹。详细参见MSDNhttp://msdn.microsoft.com/zh-cn/library/microsoft.synchronization.files.filesyncprovider(v=SQL.100).aspx