FileSpy Syntax

filespy

Where:

/a drive

Attaches monitor to drive, where <drive> is a valid drive letter in the system (for example, C:).

/d drive

Detaches monitor from drive, where drive is a valid drive letter in the system (for example, C:) that the monitor has previously attached to.
note-icon

Note

The monitor may not truly detach from the device when it receives the /d command because a filter driver can only detach from a device when it can guarantee that it is on the top of the I/O stack. This will only going to occur when the filter driver receives the detach command from the I/O Manager. When the user application tells the kernel driver to detach from a device, the kernel monitor stops logging the data for that device. Also note that shutting down the user application does not cause the kernel monitor to detach from all the drives. The kernel driver will stop logging the I/O operations that it is seeing, but if the user restarts the user application, the kernel monitor will continue logging to the devices that it was attached to when the user application last stopped. The kernel driver will only reset these attachments to system devices when the system is restarted.

/h

lists statistics on hash table used to store file names.

/l

lists all the drives that the kernel driver is monitoring.

/s

toggles on and off showing the logging output to the screen. When the application is started, the default behavior is to show logging output to the screen.

/f [filename]

toggles on and off writing the logging output to a file. If issuing the /f command will toggle on writing output to a file, the required <filename> specifies the output file name. If the /f command will toggle off the writing output to a file, the <filename> is ignored and not required. By default, the logging output is not stored to a file.

go|g

exits the user from command mode and will allow the user application to show logging output on the screen again if the program is set to do so.

Exit

shuts down the user application.