1. Home
  2. Windows

How to log disk read/write activity for an app on Windows 10

Most apps that you install on your desktop will read information/data from your disk. Likewise, they will also write information to it. It’s not something that can be helped though if you suspect an app might write something to your disk that might damage your system or your data, you can use Controlled Folder access to restrict an app from writing to certain directories. If you want to allow an app to read/write to your disk, but would still like to keep an eye on its activity, you can log all read/write instances with Process Monitor.

Log disk read/write activity for an app

Download and run Process Monitor. In order to log disk read/write activity for an app, you need to create filters for it. Click the Filter item on the menu bar and select Filter.

You need to add three filters. There will be a few filters added by default. Do not disable them. The first filter you have to add is the ‘Operation’ type. Select it in the first dropdown. Leave the second one set to ‘Is’, and in the third dropdown, select ‘ReadFile’. Click Add.

Next, add the second filter. Follow the same settings as before but select the ‘WriteFile’ option in the third dropdown.

For the third and last filter, open the first dropdown and select ‘Process Name’. Leave the second one set to ‘Is’, and in the third dropdown, enter the name of the app’s EXE. Click Add. Once you’ve added all the filters, click the Apply button.

Make sure the ‘Capture’ mode is enabled. You can toggle it On/Off by clicking the magnifying glass icon.

Once you’ve got the filters set up and events start showing up for the read and write actions, you can log them. To create a log, go to File>Backing Files. Select where you want to save the log, and you’ll be able to open and view it in Notepad.

The log is going to be a snapshot of what events Process Monitor has captured up until that point. All new events that occur and pass through the filter will not automatically be added to the log. You will have to create a new log file each time.

Process Monitor tells you the exact time an event occurred, and it can even point you to the exact file that was written or changed as a result of the event. You can monitor read/write activity for several apps by adding a filter for each one.

Leave a comment