Skip to content

Instantly share code, notes, and snippets.

@lundman

lundman/Win FS events monitoring

Last active June 6, 2023 06:06
Show Gist options
  • Save lundman/8602b4e2f9b090e8c6abc0a3b98e4ef9 to your computer and use it in GitHub Desktop.
Save lundman/8602b4e2f9b090e8c6abc0a3b98e4ef9 to your computer and use it in GitHub Desktop.
Download ZIP
Monitoring filesystem events/changes with powershell
Raw
Win FS events monitoring
* Load PowerShell
PS C:\WINDOWS\system32>
$watcher = New-Object System.IO.FileSystemWatcher
$watcher.IncludeSubdirectories = $true
$watcher.Path = 'E:\'
$watcher.EnableRaisingEvents = $true
$action =
{
$path = $event.SourceEventArgs.FullPath
$old = $event.SourceEventArgs.OldFullPath
$changetype = $event.SourceEventArgs.ChangeType
Write-Host "$path (from $old) was $changetype at $(get-date)"
}
Register-ObjectEvent $watcher 'Created' -Action $action
Register-ObjectEvent $watcher 'Changed' -Action $action
Register-ObjectEvent $watcher 'Deleted' -Action $action
Register-ObjectEvent $watcher 'Disposed' -Action $action
Register-ObjectEvent $watcher 'Error' -Action $action
Register-ObjectEvent $watcher 'Renamed' -Action $action
PS C:\WINDOWS\system32> E:\New folder was Created at 06/04/2023 10:18:32
E:\hello was Renamed at 06/04/2023 10:18:37
E:\$RECYCLE.BIN\S-1-5-21-1520132008-866194556-2240766328-1002\$I6SREUD was Created at 06/04/2023 10:18:51
E:\$RECYCLE.BIN\S-1-5-21-1520132008-866194556-2240766328-1002\$I6SREUD was Changed at 06/04/2023 10:18:51
E:\$RECYCLE.BIN\S-1-5-21-1520132008-866194556-2240766328-1002 was Changed at 06/04/2023 10:18:51
E:\hello was Deleted at 06/04/2023 10:18:51
E:\$RECYCLE.BIN\S-1-5-21-1520132008-866194556-2240766328-1002\$R6SREUD was Created at 06/04/2023 10:18:51
E:\$RECYCLE.BIN\S-1-5-21-1520132008-866194556-2240766328-1002 was Changed at 06/04/2023 10:18:51
Download file with chrome, to
* ntfs:
E:\OpenZFSOnWindows-debug-2.1.7rc3-dirty.exe was Created at 06/04/2023 10:20:57
E:\OpenZFSOnWindows-debug-2.1.7rc3-dirty.exe was Deleted at 06/04/2023 10:20:57
E:\Unconfirmed 674412.crdownload was Created at 06/04/2023 10:20:57
E:\Unconfirmed 674412.crdownload was Changed at 06/04/2023 10:20:57
E:\Unconfirmed 674412.crdownload was Changed at 06/04/2023 10:20:59
E:\OpenZFSOnWindows-debug-2.1.7rc3-dirty.exe was Renamed at 06/04/2023 10:21:02
E:\OpenZFSOnWindows-debug-2.1.7rc3-dirty.exe was Changed at 06/04/2023 10:21:04
E:\OpenZFSOnWindows-debug-2.1.7rc3-dirty.exe was Changed at 06/04/2023 10:21:04
E:\OpenZFSOnWindows-debug-2.1.7rc3-dirty.exe was Changed at 06/04/2023 10:21:04
* zfs:
(from ) was at 06/04/2023 10:47:54
(from ) was at 06/04/2023 10:47:54
(from ) was at 06/04/2023 10:47:54
E:\OpenZFSOnWindows-debug-2.1.7rc3-dirty.exe (from ) was Created at 06/04/2023 10:47:55
(from ) was at 06/04/2023 10:47:55
(from ) was at 06/04/2023 10:47:55
(from ) was at 06/04/2023 10:47:55
(from ) was at 06/04/2023 10:47:55
(from ) was at 06/04/2023 10:47:55
(from ) was at 06/04/2023 10:47:55
(from ) was at 06/04/2023 10:47:56
(from ) was at 06/04/2023 10:47:57
(from ) was at 06/04/2023 10:47:57
(from ) was at 06/04/2023 10:47:57
(from ) was at 06/04/2023 10:47:57
(from ) was at 06/04/2023 10:47:58
E:\Unconfirmed 617858.crdownload (from ) was Created at 06/04/2023 10:47:58
(from ) was at 06/04/2023 10:47:58
(from ) was at 06/04/2023 10:47:58
(from ) was at 06/04/2023 10:47:58
(from ) was at 06/04/2023 10:47:58
(from ) was at 06/04/2023 10:48:00
(from ) was at 06/04/2023 10:48:00
(from ) was at 06/04/2023 10:48:01
(from ) was at 06/04/2023 10:48:01
E:\OpenZFSOnWindows-debug-2.1.7rc3-dirty.exe (from E:\Unconfirmed 617858.crdownload) was Renamed at 06/04/2023 10:48:01
(from ) was at 06/04/2023 10:48:01
(from ) was at 06/04/2023 10:48:01
(from ) was at 06/04/2023 10:48:01
(from ) was at 06/04/2023 10:48:02
(from ) was at 06/04/2023 10:48:02
(from ) was at 06/04/2023 10:48:03
(from ) was at 06/04/2023 10:48:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment