Not open for further replies.


Level 31
FileActivityWatch: monitor read/write operations on Windows

FileActivityWatch is a new portable program for Windows by Nirsoft that displays all read, write and delete operations of files on the operating system.

The program is compatible with all versions of Windows starting from Windows Vista and supports 32-bit and 64-bit editions of the operating system.

Since it is portable, you may run it without installation. Just download the small archive from the Nirsoft website and extract it on the system once the download completes.

You may run FileActivityWatch from any location. Note that the app displays an UAC prompt on start which you need to accept to continue.


The portable program monitors file activity on the system by default and updates the list of files in the interface automatically. It lists file names, process id and name, read and write bytes, and additional information about each recorded event.

Tip: Use the keyboard shortcut F2 while the program is active to start and stop the file event monitoring. Use the Options menu to toggle the monitoring of read, write or delete events individually.

Events are color-coded for easier identification:

  • Green background -- read operations
  • Yellow background -- write operations
  • Red background -- read and write operations
  • Blue background -- delete operations
A click on a column header sorts the data based on the parameter. You can sort by filename, process id, process name, or any other parameter that is available.

A built-in search, accessible via an icon, the shortcut Ctrl-F or the View menu, lets you filter the data; useful if FileActivityWatch ran for a prolonged period of time as a lot of data is record and displayed when it runs.

FileActivityWatch comes with the usual Nirsoft options that are included in all of Nir Sofer's programs. You can export the data or a selection to XML, HTML, TXT or CSV files,

Closing Words
FileActivityWatch is a specialized program. You can use it to monitor file activity on Windows machines, and filter the monitoring on top of that. You could use the tool to monitor all delete operations that happen on the system.

The program lacks options to monitor only specific folders or files; the option to limit the monitoring would be very useful as it would reduce the size of the log and provide an option to focus on specific files or directories only.

Not open for further replies.