Decoding the FileAttributes field in ProcessMonitor
Decoding the FileAttributes field in ProcessMonitor
27 May 2010 10:43 AM
Random tip: if you’re using procmon.exe to monitor file system activity, you’ll see a FileAttributes field with a bunch of letters. It’s not immediately obvious which letters correspond to which Win32 file attribute constants. I asked around internally, and got the answer. Blogging it here for general reference (and yes, the team does plan to update the docs with this).
FILE_ATTRIBUTE_READONLY, _T(“R”),
FILE_ATTRIBUTE_HIDDEN, _T(“H”),
FILE_ATTRIBUTE_SYSTEM, _T(“S”),
FILE_ATTRIBUTE_DIRECTORY, _T(“D”),
FILE_ATTRIBUTE_ARCHIVE, _T(“A”),
FILE_ATTRIBUTE_DEVICE, _T(“D”),
FILE_ATTRIBUTE_NORMAL, _T(“N”),
FILE_ATTRIBUTE_TEMPORARY, _T(“T”),
FILE_ATTRIBUTE_SPARSE_FILE, _T(“SF”),
FILE_ATTRIBUTE_REPARSE_POINT, _T(“RP”),
FILE_ATTRIBUTE_COMPRESSED, _T(“C”),
FILE_ATTRIBUTE_OFFLINE, _T(“O”),
FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, _T(“NCI”),
FILE_ATTRIBUTE_ENCRYPTED, _T(“E”),
FILE_ATTRIBUTE_VIRTUAL, _T(“V”),