Decoding the FileAttributes field in ProcessMonitor

Jeremy M [MSFT]

27 May 2010 10:43 AM

Random tip: if you’re using procmon.exe to monitor file system activity, you’ll see a FileAttributes field with a bunch of letters.  It’s not immediately obvious which letters correspond to which Win32 file attribute constants.  I asked around internally, and got the answer.  Blogging it here for general reference (and yes, the team does plan to update the docs with this).

FILE_ATTRIBUTE_READONLY,                  _T(“R”),

FILE_ATTRIBUTE_HIDDEN,                    _T(“H”),

FILE_ATTRIBUTE_SYSTEM,                    _T(“S”),

FILE_ATTRIBUTE_DIRECTORY,                 _T(“D”),

FILE_ATTRIBUTE_ARCHIVE,                   _T(“A”),

FILE_ATTRIBUTE_DEVICE,                    _T(“D”),

FILE_ATTRIBUTE_NORMAL,                    _T(“N”),

FILE_ATTRIBUTE_TEMPORARY,                 _T(“T”),



FILE_ATTRIBUTE_COMPRESSED,                _T(“C”),

FILE_ATTRIBUTE_OFFLINE,                   _T(“O”),


FILE_ATTRIBUTE_ENCRYPTED,                 _T(“E”),

FILE_ATTRIBUTE_VIRTUAL,                   _T(“V”),