I use hits filters:
session.EnableKernelProvider(KernelTraceEventParser.Keywords.DiskFileIO |
KernelTraceEventParser.Keywords.FileIOInit |
KernelTraceEventParser.Keywords.FileIO);
I subscribe on DiskIORead and FileIORead events.
If I open the file through notepad, then the event does not occur.
However, if I open the file through notepad ++, then this happens.
UPD:
Full Code:
class Program
{
static void Main(string[] args)
{
using(var session=new TraceEventSession("Test"))
{
session.EnableKernelProvider(KernelTraceEventParser.Keywords.DiskFileIO |
KernelTraceEventParser.Keywords.FileIOInit |
KernelTraceEventParser.Keywords.FileIO);
session.Source.Kernel.FileIORead += Kernel_FileIORead;
session.Source.Kernel.DiskIORead += Kernel_DiskIORead;
session.Source.Process();
}
}
private static void Kernel_FileIORead(Microsoft.Diagnostics.Tracing.Parsers.Kernel.FileIOReadWriteTraceData obj)
{
if (obj.FileName.ToUpper().StartsWith(@"E"))
{
Console.WriteLine("2:" + obj.FileName);
}
}
private static void Kernel_DiskIORead(Microsoft.Diagnostics.Tracing.Parsers.Kernel.DiskIOTraceData obj)
{
if (obj.FileName.ToUpper().StartsWith(@"E"))
{
Console.WriteLine("2:"+obj.FileName);
}
}
}
I use Windows 10.
Add Source for FileIOQueryInfo like this
session.Source.Kernel.FileIOQueryInfo += Kernel_FileIOQuery;
Event Handler
private static void Kernel_FileIOQuery(FileIOInfoTraceData obj)
{
if (obj.FileName.ToUpper().StartsWith(@"E"))
{
Console.WriteLine("queryInfo:" + obj.FileName);
}
}
Note: Issue replicated by partitioning E:\
Tested it by opening a txt file in E:\ via notepad, wordpad.
Tested it by opening a word file in E:\ drive via MSWord
PS
If you want to filter by process then you can use obj.ProcessName == "notepad"
References
Highly Recommend going through this doc from GIT