On Jun 17, 2004, at 14:15, Krishna Monian wrote: Hi All, Is it possible to write some sort of kernel mode app that hooks on to all file system calls / IO calls and logs all of these ? No really. Since the source is available, you can always hack away to your heart's content, but this kind of approach really isn't going to work in the long run. In addition, it only works on your system (or on those belonging to people you can con into running your kernel :-}). I took a look at the File Alteration Monitor (FAM) but that doesn't achieve this completely. It doesn't log file reads. I am basically trying to write a utility that will log every file that is accessed (read / write) in a particular directory in the system. What would be the best way to go about doing this? Is a kernel hook the only way? Is there anything that has already been done along these lines (quite sure it has)? The only way to do this is with some kind of kernel assistance. Hacking into dispatch tables won't, in all likelihood, survive new releases of the kernel, though. This approach is frowned on. I'd suggest, as someone already has, looking at ktrace, or perhaps, fs_usage. The source for both is available. This is a polling type of interface, though, so you need to apply it with some care and forethought. There is no notification mechanism for file access. Regards, Justin -- Justin C. Walker, Curmudgeon-At-Large * Institute for General Semantics | Men are from Earth. | Women are from Earth. | Deal with it. *--------------------------------------*-------------------------------* _______________________________________________ darwin-kernel mailing list | darwin-kernel@lists.apple.com Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/darwin-kernel Do not post admin requests to the list. They will be ignored.