NT4.0 Migration to Windows 2003: Using DiskMon

偷瓜的贼

DISKMON
1.1        Introduction
DiskMon is an application that logs and displays all hard disk activity on a Windows system.  Additionally, Diskmon monitors and displays all hard disk activity on a system in real time.
You can also minimize DiskMon to your system tray where it acts as a disk light, presenting a green icon when there is disk-read activity and a red icon when there is disk-write activity.  
Diskmon works on Windows 2000 and higher.  If you are running Windows NT 4 download a version of Diskmon for that operating system from Sysinternals.
1.1.1           System Requirements
DiskMon works on NT 4.0 and higher.  
1.2        Installation and Use
　　Install DiskMon by unzipping it and type diskmon.
　　·         On Windows NT, the GUI dynamically loads the driver (based on code from the instdrv sample in the Windows NT DDK), which begins monitoring all hard drives.
　　·         On Windows 2000 and higher there is no driver component: the GUI relies on kernel event tracing to obtain disk activity.  The menus and toolbar buttons can be used to disable event capturing, control the scrolling of the listview, and to save the listview contents to an ASCII file.  
To have DiskMon function as a disk light in your system tray, select the Options > Minimize to Tray menu item, or start DiskMon with a "/l" (lower-case L) command-line switch e.g.  diskmon /l.  When Diskmon detects disk reads, it will present a green disk light; when it detects disk writes, it presents a red disk light.  Note: Diskmon does not capture output to its window while it is in the tray.  To re-enable the Diskmon window double-click on the Diskmon tray disk light.
　　To create a shortcut to Diskmon in the tray create a shortcut in your Program Files\Startup folder, edit the properties of the shortcut and set the Target to point at the executable with the path in quotations and the switch outside the quotes:
"C:\Sysinternals Tools\Diskmon.exe" /l


　　Read and write offsets are presented in terms of sectors (512 bytes).  Events can be either timed for their duration (in microseconds), or stamped with the absolute time that they were initiated.  The History Depth dialog can be used to specify the maximum number of records that will be kept in the GUI (0 signifies no limit).  
1.2.1           Windows NT 4 Implementation
　　Using standard filtering techniques it is not possible for a dynamically loaded driver like DiskMon to attach to hard disk device objects and see requests originating in file systems.  This is because file system drivers open disk devices during system initialization and, unlike the I/O Manager, file system drivers send IRPs directly at these devices.  The I/O Manager allows for file system filter drivers to attach to file system devices after initialization because it checks for attached devices whenever it is going to send an Irp to a file system, and will direct the Irps to them instead.  
　　DiskMon overcomes this limitation by driver function interception.  DiskMon locates a disk device's driver object and replaces the driver's dispatch entry points with its own.  The DiskMon filter functions pass Irps it sees onto the hooked driver, and also intercepts completion routines in a similar way so that it can see the results of requests.  
1.2.2           Windows 2000 and Higher Implementation
On Windows 2000 and higher Diskmon uses kernel event tracing.  Event tracing is documented in the Microsoft Platform SDK and the SDK contains source code to TraceDmp, on which Diskmon is based.  
1.3        Using Diskmon
In Diskmon menus, hot-keys, or toolbar buttons can be used to clear the window, save the monitored data to a file, and to search output.  
As events are printed to the output, they are tagged with a sequence number.  If Diskmon’s internal buffers are overflowed during extremely heavy activity, this will be reflected with gaps in the sequence numbers.
Each time you exit Diskmon, it remembers the position of the window and the widths of the output columns.
1.3.1           Limiting Output
The History Depth entry in the History dialog allows you to specify the maximum number of lines that will be remembered in the output window.  A depth of 0 is used to signify no limit.
1.3.2           Searching the Output
You can search the output window for strings using the Find menu item (or the find toolbar button).  Once you have opened a Find dialog and clicked FindNext, you can repeat the search by pressing .
To start a search at a particular line in the output, select the desired line by clicking on the far left column (the index number).  If no line is selected a new search starts at the first entry in searching down, and at the last entry for searching up.
1.4        DiskMon download site
　　Download Diskmon for Windows NT 4 (44 KB)
Download Diskmon for Windows 2000/XP/2K3 (55 KB)