Initial commit

Author: ptvty

.gitignore

@@ -0,0 +1,3 @@
+.vscode
+bin
+obj

Program.cs

@@ -0,0 +1,41 @@
+using Microsoft.Diagnostics.Tracing.Parsers;
+using Microsoft.Diagnostics.Tracing.Session;
+
+namespace WinFileReadEvents
+{
+    class Program
+    {
+        static void Main(string[] args)
+        {
+            if (TraceEventSession.IsElevated() != true)
+            {
+                Console.WriteLine("x|To turn on ETW events you need to be Administrator, please run from an Admin process.");
+                return;
+            }
+
+            string? filePath = (args.Length < 1) ? null : args[0];
+
+            using var session = new TraceEventSession("FileRead");
+
+            Console.CancelKeyPress += (sender, e) => session.Stop();
+
+            session.EnableKernelProvider(
+                KernelTraceEventParser.Keywords.DiskFileIO |
+                KernelTraceEventParser.Keywords.FileIOInit);
+
+            session.Source.Kernel.FileIORead += data =>
+            {
+                if (filePath == null || string.Compare(data.FileName, filePath, StringComparison.OrdinalIgnoreCase) == 0)
+                {
+                    string line = ">|";
+                    line += data.Offset + "|";
+                    line += data.IoSize + "|";
+                    line += data.FileName;
+                    Console.WriteLine(line);
+                }
+            };
+
+            session.Source.Process();
+        }
+    }
+}

WinFileReadEvents.csproj

@@ -0,0 +1,15 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <OutputType>Exe</OutputType>
+    <TargetFramework>net8.0</TargetFramework>
+    <RootNamespace>WinFileReadEvents</RootNamespace>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Microsoft.Diagnostics.Tracing.TraceEvent" Version="3.1.9" />
+  </ItemGroup>
+
+</Project>