I am developing a "dynamic shortcutting" application which creates special shortcut files which point to a registry entry rather than an actual file/executable. The registry entry contains the path of the desired file. I want to have a daemon running which watches the linked-to files and updates their registry entries if they are moved or renamed. Renamed I can handle using System.IO.FileSystemWatcher, but what is the best way to handle moved files?
I know this is beyond the basic functions of FSW (despite being a low-level file-system operation). The question is, what is the best way of doing it?
Most posts/articles I have read suggest ways that feel altogether "hacky", which basically involve looking for a delete followed by a create in a new place of a file, and connecting the two by file size, meta-data, time between the delete/create triggers, hashes, etc. This may well be the method I have to resort to, setting up FSWs on all drives. However, I am hoping there might be a better way.
Is it possible to either:
2.1. Listen in to the shell and "hear" move operations?
2.2 Or (even more radical) replace or add something to the shell move operation that either triggers some sort of event or performs the registry-updating task itself, precluding the need for the daemon?
I have a feeling that everyone is going to tell me that 1. is the only course, but I look forward to your suggestions. (answers in VB.NET preferred, but can translate from C# if necessary).
[I'm not sure if this should be appended as an "update" to my original post or posted as a separate answer]
To sum up (all two of) the answers plus my own experimenting (to try to give a definitive answer to this question):
It seems the only high-level (.NET) solution is to use the FileSystemWatcher which does not detect "move" out-of-the-box (despite it being a low-level command). The FSW approach is non-trivial, comparably resource-expensive, sloppy in places (i.e. using timers) and has its limitations and caveats. Nor does it provide a true reflection of "move" - it merely infers it from symptoms that are very likely to be a move (and have the same effect on the file-system in any case) but could theoretically be produced by non-move actions. Also, it appears you have to know what files you want to watch for moves in advance of the move happening, there's no-way of telling as it occurs.
On a lower-level (which would involve C++), one could hook API calls to get a faithful picture of when "moves" are called. This has the advantage that you don't have to decide to watch files in advance, and is also less resource-expensive than listening to "deletes" and "creates" and trying to compare them.
On a systems-programming level (which would involve C++ and could easily break your computer if you didn't know what you were doing) one could build a filesystem filter driver: this would take the concept of detecting moves to a truly anal level, detecting re-allocation of filesystem resources performed even without the kernel.
After some experimenting, here is the general structure of how the FileSystemWatcher approach (or at least the most obvious one to me) works, its quirks and its limitations. [no code atm, it's all pretty integrated into my application and I'm yet to optimise it, but I might add some snippets in here later].
The FileSystemWatcher method (to detect when files are moved or renamed):
.1. FileSystemWatchers.
You will need to create one FSW for each highest-level directory you want to monitor (for example, one for each writable logical drive).
.2. Renamed.
Straightforward renaming of the file is trivially handled.
.3. Moved.
This part is very far from trivial; it basically involves comparing files in three different scenarios.
3.0.1. Deciding if a deleted/moved-from file is the same as a created/moved-to file.
For determining whether a deleted and a created file are a match, filename is useless (can be changed during a move). You could use a mixture of file size and attributes like time created, or even a hash of the entire file. In my particular solution I only needed to watch the movement of specific files "registered" before load-time, so I was able to give these files a unique fingerprint as metadata that I could then use to compare files (this works fine in real-world scenarios, but is easy to break maliciously in testing, which disappoints me as a perfectionist.)
3.0.1.1. When to read filesize/attributes/take hash?
Before I came up with the static fingerprint idea, I was testing my code with a simple filesize + creation date validation check. I quickly realised though that I had to have a note of the filesize and creation date (or hash or whatever else you want to use) of the deleted file BEFORE it signals as "deleted", because you can't check the size of a file that doesn't exist. If (like me) you know the files you want to watch in advance, then you need to read in those values before you enable the FileSystemWatchers; you also need to listen for "change" events on those files to update the values of filesize and creation date, take a new hash etc. This then begs the question: what do you do if you DON'T know what files you are interested in watching to see if they move? What if you only know you are possibly interested in knowing if they've moved when they "delete"? That, unfortunately, is beyond me (it wasn't something I had to deal with.) Unless you can come up with a solution to this problem, there is zero point in continuing with the FileSystemWatcher approach. Furthermore, I would conjecture (though could very easily be wrong) that there is no high-level solution that will meet your needs. If you do however come up with a solution (please post it below/comment on this post/edit it in here on this post), I have made the rest of this compatible.
3.1. Scenario 1: Direct moving of the file itself.
Upon the "delete" of a specific file being detected, you need to start listening for a "create" of a congruous file. Rather than listening indefinitely for the matching "create" of a file that might just have been deleted (which in reality involves inspecting every file created in the directory), you can use a timer to start and stop a "listening" flag (practical, but from a purist point of view a little arbitrary), deciding that after e.g. 1000ms with no appropriately matching create it's likely there won't be one.
3.2.0. A common misconception.
A lot of people seem to be under the impression, after glancing at the docs, that moving or renaming a folder triggers a rename for all their subfiles and subfolders rather than a delete and a create. In actual fact what the docs say is:
If you cut and paste a folder with files into a folder being watched, the FileSystemWatcher object reports only the folder as new, but not its contents because they are essentially only renamed.
(i.e. only the top folder throws rename or create/delete and the subfiles/subfolders throw NOTHING). Meaning if you want to know when and where a certain file is moved, you have to listen out for each and every of its ascendent folders as well.
3.2.1. Scenario 2: Renaming of a containing folder.
In my solution, because I knew all the files I was watching, whenever one of my FileSystemWatchers reported a rename of a folder rather than a file (the portion of the string after the last "/" will contain no ".") I checked each of my watched files to see if their paths were in that directory and if so, changed the beginning of the filepath to the path of the new directory et voila!, I knew where my files had been moved to. If you do not now in advance what files you are looking for, then you will have to recursively search through everything in every folder that throws a "rename".
3.2.2. Scenario 3: Moving of a containing folder.
This one feels like a slap in the face: in order to build your move-detection routine, you have to be able to detect moves. Here folders will throw a "delete" followed by a "create". In my case the solution just recycles the techniques in 3.1 and 3.2.1: when a folder "delete" is detected, I check to see if it contains any of my watched files. If it does, I set a "listen" flag (and a timer to snuff it) and check the subdirectory path of my file in the old folder against every new folder "create" that is detected to see if it points to a file with the desired fingerprint. If it does, I now have the old and new paths of the file and have detected the move. If you don't know what files to watch for, you may have to validate folder moves by comparing size on disk and number of subfiles/subfolders between "deleted" folder and "created" folders to confirm a folder has moved first, then search the folder recursively for the files you're interested in.
3.3. FURTHER COMPLICATION: Cross-drive moving of large files.
This is a problem I fortunately didn't run into (because I was only comparing fingerprint metadata, and didn't need access to files); however moving large files between drives (which transfer in stages, triggering a create event then a series of change events) can cause real headaches.
3.3.1. Headache 1: The "create" fires when the destination file is incomplete.
This means comparing its size to a "deleted" file will produce a false negative. You can't even take a hash of the first part of the file to indicate to your program that this "might" be the deleted file, because the move operation will have the file access permissions locked down. You just have to try and tell if the created file might still be moving and wait for it to finish.
3.3.2. Headache 2: No sure way to "tell" that the created file is still being moved.
Some have suggested checking the file access permissions on the created file, but they might be indistinguishable from those on a file created and still in use by any random application. Others have suggested setting short time-limited listen flags for "changes" on the file, but again this is indistinguishable from a file being modified by an application. In fact if the file happened to be a log file constantly and rapidly being updated by some process, then waiting for "changes" to the file to timeout might never end.
3.3.3. Headache 3: (UNTESTED) possibly these sort of moves "delete" the file after "creating" the destination file*.
It makes sense that this would be the case, though I haven't tested it. [if anyone does know, feel free to edit (or delete) this section appropriately]
3.4. A philosophical quandry: are two identical files the same?
This is a very pedantic and arbitrary thought-experiment, but say you have two drives, each with an identical copy of File.txt. You run a batch file that deletes the copy on the first drive then immediately makes a copy of the file on the second drive into the same folder on the second drive and names it Copy of File.txt. Unless you are using fingerprints, your code will identify a delete and then a create of an identical file and be unable to distinguish what happened from a move (with renaming) of the file from the first drive to the second. The final state of the filesystem is identical in both cases so it shouldn't cause your application to behave unexpectedly, but art thou really content to call that a "move" based purely on isomorphism? (especially when you know the kernel sees it differently)?
Using high-level unrestricted api provided by C# - no, you cant. Use FileSystemWatcher.. On same drive operation of moving file is not "delete and create" - it's "rename".
If you can/want to go into lower-level, then you can hook MoveItem and MoveItems of IFileOperation shell's interface, and MoveFile from Kernel32.dll... It will work with most of apps, but require expansion for security rights for your application, that mostly unacceptable in corporative environment..
The task has two flaws that make it hard to implement: (a) move operation across the disks is actually a sequence of read/write operations followed by deletion rather than move. And during those read/write operations there can be some transformation of data in place ; and (b) moving can be performed not by just a shell.
What you can do is employ a filesystem filter driver to intercept file operations right when they take place. Then you need to detect the sequence of read and write operations performed by the same process over your file. I.e. if your code detects, that the file is read sequentially (NOTE: some copying tools can read the file in multiple threads in parallel) and then write similar blocks of data to the other file AND after reading everything the source file is deleted AND the complete file contents have been written to the other place, then you can guess that you have come over file move operation.
Bump & update: This may well be against the rules of StackOverflow, but I would like to point out to the many people landing on this page (and the myriad similar questions on SO) that I have started a feature request on MicroSoft UserVoice to add MOVE detection to FileSystemWatcher. The best solution in the long term, rather than trying to work around the problem, might be to petition MicroSoft to fix it. If you have come here because you too need a solution to this problem, please consider clicking here and voting for this feature.
I'am working on my small project: Crypt container. To unlock it - just plug-in specifig usb flash-drive and unplug it to lock container.
So, GUI of program is very simple - just ListView. If you want to add files into continer - drag'n'drop items to them.
But i have a problem - when user want to decrypt his file, he drag them in container and drop to desktop (or specific folder). And my task is to know, where user wants to put a file. If he drag file to folder - i should unpack it to folder, if he drag it to flash-drive - i should unpuck it to flash-drive.
Yes, i found one solution of my problem: http://www.codeproject.com/KB/files/DragNDrop.aspx , but i realy not understand that mechanism with tempDirectoryWatcher and Hashtables.
Maybe somebody know easy way to get path to object (folder, drive, etc.) under cursor?
Your data object should expose FILEGROUPDESCRIPTOR and FILECONTENTS. The user might drop onto something other than a folder, like an email message, or into a virtual folder like an FTP site or a ZIP folder
I have a task to save versions of documents for specified directory and look for changes.
before each change i need to keep the CURRENT version of the file in other place.
but the filesystemWatcher doesnt help me here because its events is after the change...
what should i do ?
You'd want to snapshot the target directories before watching them, like when your service starts up or something, that way when the file change comes through you have the base to compare to.
I want to detect every filechanges on a specific folder (except data changes). I decided to use System.IO.FileSystemWatcher to manage that.
//
// fileSysWatchFile
//
this.fileSysWatchFile.EnableRaisingEvents = true;
this.fileSysWatchFile.IncludeSubdirectories = true;
this.fileSysWatchFile.NotifyFilter = System.IO.NotifyFilters.FileName;
this.fileSysWatchFile.SynchronizingObject = this;
this.fileSysWatchFile.Created += new System.IO.FileSystemEventHandler(this.fileSysWatchFile_Created);
this.fileSysWatchFile.Deleted += new System.IO.FileSystemEventHandler(this.fileSysWatchFile_Deleted);
this.fileSysWatchFile.Renamed += new System.IO.RenamedEventHandler(this.fileSysWatchFile_Renamed);
As far as good... New files are detected. File deletes are detected. File renames are detected.
When I move a file to a subfolder it detects first a file delete and then a new file create.
I'd expect that a move is the same as a rename except the path. Seems that it isn't. Can I detect file moves in a save way?
By the way... I only want to detect file changes and not directory changes.
Edit:
Additional Info why I have to detect moves and can't live with delete, create:
I want to replay the same changes on an other drive. If I get a delete first, I delete the shadow file. Then I get the create file event and the original file is already lost :-(.
So I have a drive A which is the watched drive...
And a drive B which has files with the same filenames.
All file changes exept data changes should be replayed on drive B.
The File delete / File create functionality is what is behind a file move. It's similar to rename if you are just moving a file from a folder to a folder, but what about if moving a file from one disk to another, or moving a file between machines?
And, If I'm watching a specified folder, as long as the file is not there, it might as well have been deleted :)
If you are sure that you want to catch file moved "events" (from a watched folder to a watched subfolder), I would maintain a list of recently deleted files, and upon every file created event, check if the file is it that list, indicating a de facto file move.
You can use file system filter driver to track file rename operation. Actually, FS Filter is better approach, than FileSystemWatcher. FileSystemWatcher doesn't provide reliability and flexibility for certain cases (you can see the number of questions regarding FileSystemWatcher and it's glitches and limitations).
FS Filter lets you track the requests as soon as they reach the file system.
You can write your own filter driver, or use our CallbackFilter product.
It's not a real solution of the problem, but I managed to have a quick and dirty solution:
First I am buffering all events for a while (tested with 100ms but we will see how fast it can go).
If a event is 100ms in the buffer I check if there is a depending other event also in there. So for Delete I search all creates and for create I search all deletes.
If I find one I replace the two events with only one move event.
There are some riscs with this workarround:
1.) I can't say what comes first, delete or create. Seems that this is every time different
2.) If the delay is to short, the file is deleted and lost :-(
But as long as I have no better solution I have to live with this.
I'm trying to monitor a folder using C# and FileSystemWatcher. everything works well, except the fact that i can delete the folder i'm actually watching
I used to do this in C using ReadDirectoryChangesW, by creating a handle to the folder, and locking it, which prevented delete or rename from the user to that folder (i'm talking about the actual monitored folder, not it's contents)
Is there any way to lock that folder so people don't delete it while it's being watched?
(note that I don't want to change permissions to the folder because it might be on a FAT32 partition/usb drive/etc , which doesn't support permissions)
Not sure if that's an option, but you could create a (temporary) file in said folder and keep it open for the duration of the 'watch'. You'll need to clean it up again afterwards off course. (You might even give it the hidden attribute so it doesn't show up to 'normal' users).
Not the nicest solution and the file will remain littering around when your program crashes before removing the file...