FileMon: Use It

I’m trying to figure out why my Windows Media Center sometimes just starts going nuts with the disc for short periods of time.  I’m watching TV and suddenly the disc starts thrashing like mad and sometimes this causes my program to skip. 

Part of diagnosing a problem like this is using the excellent tool FileMon from SysInternals

One thing I learned from FileMon is that every few seconds, mcrmgr.exe wakes up and queries for information on dozens of DLLs.

Here’s a (badly formatted) snippet that shows a bit of the FileMon log:

8:59:32 AM mcrmgr.exe:676 QUERY INFORMATION D:\WINDOWS\system32\odbcint.dll SUCCESS FileNameInformation
8:59:32 AM mcrmgr.exe:676 QUERY INFORMATION D:\WINDOWS\system32\wmasf.dll SUCCESS FileNameInformation
8:59:32 AM mcrmgr.exe:676 QUERY INFORMATION D:\WINDOWS\system32\wmasf.dll SUCCESS FileNameInformation
8:59:32 AM mcrmgr.exe:676 QUERY INFORMATION D:\WINDOWS\system32\wmasf.dll SUCCESS FileNameInformation
8:59:32 AM mcrmgr.exe:676 QUERY INFORMATION D:\WINDOWS\system32\wmasf.dll SUCCESS FileNameInformation
8:59:32 AM mcrmgr.exe:676 QUERY INFORMATION D:\WINDOWS\system32\encdec.dll SUCCESS FileNameInformation
8:59:32 AM mcrmgr.exe:676 QUERY INFORMATION D:\WINDOWS\system32\encdec.dll SUCCESS FileNameInformation
8:59:32 AM mcrmgr.exe:676 QUERY INFORMATION D:\WINDOWS\system32\encdec.dll SUCCESS FileNameInformation
8:59:32 AM mcrmgr.exe:676 QUERY INFORMATION D:\WINDOWS\system32\encdec.dll SUCCESS FileNameInformation
8:59:32 AM mcrmgr.exe:676 QUERY INFORMATION D:\WINDOWS\system32\wmdrmsdk.dll SUCCESS FileNameInformation
8:59:32 AM mcrmgr.exe:676 QUERY INFORMATION D:\WINDOWS\system32\wmdrmsdk.dll SUCCESS FileNameInformation
8:59:32 AM mcrmgr.exe:676 QUERY INFORMATION D:\WINDOWS\system32\wmdrmsdk.dll SUCCESS FileNameInformation
8:59:32 AM mcrmgr.exe:676 QUERY INFORMATION D:\WINDOWS\system32\wmdrmsdk.dll SUCCESS

Why would it do this?  Windows supports subscribing to notification of file changes, so there’s no reason to poll like this.  I don’t know if it’s related to my slowdown, but it bugs me that this unnecessary work is being constantly on my system.

The app I work on at work uses an INI file to store some information, and I discovered using FileMon that we access this INI file more than we should.  It wasn’t taking enough time to show up as significant in a profile run, but it’s just messy.

So the point of this post is to encourage developers to fire up their app and run the FileMon utility, and look for anything that your app is doing that you’re not aware of.  It can be enlightening.