如何记录文件什么时候被拷贝、删除。 ( 积分: 100 )

fuxiaojie · 2005-12-30

我想用delphi写个程序记录我的系统什么时候开机，开机以后那个文件被拷贝、删除、打开过等。

fuxiaojie · 2005-12-30

我想用delphi写个程序记录我的系统什么时候开机，开机以后那个文件被拷贝、删除、打开过等。

wuliao2345 · 2005-12-30

请高手来指点一下我也有这个想法

网中戏 · 2005-12-30

unit Unit1; interface uses  Windows, Messages, SysUtils, Classes, Graphics, Controls, Forms, Dialogs,  StdCtrls,shlobj,Activex; const  SHCNE_RENAMEITEM = $1;  SHCNE_CREATE = $2;  SHCNE_DELETE = $4;  SHCNE_MKDIR = $8;  SHCNE_RMDIR = $10;  SHCNE_MEDIAINSERTED = $20;  SHCNE_MEDIAREMOVED = $40;  SHCNE_DRIVEREMOVED = $80;  SHCNE_DRIVEADD = $100;  SHCNE_NETSHARE = $200;  SHCNE_NETUNSHARE = $400;  SHCNE_ATTRIBUTES = $800;  SHCNE_UPDATEDIR = $1000;  SHCNE_UPDATEITEM = $2000;  SHCNE_SERVERDISCONNECT = $4000;  SHCNE_UPDATEIMAGE = $8000;  SHCNE_DRIVEADDGUI = $10000;  SHCNE_RENAMEFOLDER = $20000;  SHCNE_FREESPACE = $40000;  SHCNE_ASSOCCHANGED = $8000000;  SHCNE_DISKEVENTS = $2381F;  SHCNE_GLOBALEVENTS = $C0581E0;  SHCNE_ALLEVENTS = $7FFFFFFF;  SHCNE_INTERRUPT = $80000000;  SHCNF_IDLIST = 0;               //  LPITEMIDLIST  SHCNF_PATHA = $1;               // path name  SHCNF_PRINTERA = $2;            // printer friendly name  SHCNF_DWORD = $3;               // DWORD  SHCNF_PATHW = $5;               // path name  SHCNF_PRINTERW = $6;            // printer friendly name  SHCNF_TYPE = $FF;  SHCNF_FLUSH = $1000;  SHCNF_FLUSHNOWAIT = $2000;  SHCNF_PATH = SHCNF_PATHW;  SHCNF_PRINTER = SHCNF_PRINTERW;  WM_SHNOTIFY = $401;  NOERROR = 0; type  TForm1 = class(TForm)    Button1: TButton;    Memo1: TMemo;    procedure FormClose(Sender: TObject; var Action: TCloseAction);    procedure Button1Click(Sender: TObject);    procedure FormCreate(Sender: TObject);  private    { Private declarations }    procedure WMShellReg(var Message:TMessage);message WM_SHNOTIFY;  public    { Public declarations }  end; type PSHNOTIFYSTRUCT=^SHNOTIFYSTRUCT;  SHNOTIFYSTRUCT = record    dwItem1 : PItemIDList;    dwItem2 : PItemIDList;  end; Type PSHFileInfoByte=^SHFileInfoByte;  _SHFileInfoByte = record    hIcon :Integer;    iIcon :Integer;    dwAttributes : Integer;    szDisplayName : array [0..259] of char;    szTypeName : array [0..79] of char;  end;  SHFileInfoByte=_SHFileInfoByte; Type PIDLSTRUCT = ^IDLSTRUCT;  _IDLSTRUCT = record    pidl : PItemIDList;    bWatchSubFolders : Integer;  end;  IDLSTRUCT =_IDLSTRUCT; function SHNotify_Register(hWnd : Integer) : Bool; function SHNotify_UnRegister:Bool; function SHEventName(strPath1,strPath2:string;lParam:Integer):string; Function SHChangeNotifyDeregister(hNotify:integer):integer;stdcall;         external 'Shell32.dll' index 4; Function SHChangeNotifyRegister(hWnd,uFlags,dwEventID,uMSG,cItems:LongWord;         lpps

IDLSTRUCT):integer;stdcall;external 'Shell32.dll' index 2; Function SHGetFileInfoPidl(pidl : PItemIDList;         dwFileAttributes : Integer;         psfib : PSHFILEINFOBYTE;         cbFileInfo : Integer;         uFlags : Integer):Integer;stdcall;         external 'Shell32.dll' name 'SHGetFileInfoA'; var  Form1: TForm1;  m_hSHNotify:Integer;  m_pidlDesktop : PItemIDList; implementation {$R *.DFM} function SHEventName(strPath1,strPath2:string;lParam:Integer):string; var  sEvent:String; begin  case lParam of        file://根据参数设置提示消息    SHCNE_RENAMEITEM: sEvent := '重命名文件'+strPath1+'为'+strpath2;    SHCNE_CREATE: sEvent := '建立文件文件名：'+strPath1;    SHCNE_DELETE: sEvent := '删除文件文件名：'+strPath1;    SHCNE_MKDIR: sEvent := '新建目录目录名：'+strPath1;    SHCNE_RMDIR: sEvent := '删除目录目录名：'+strPath1;    SHCNE_MEDIAINSERTED: sEvent := strPath1+'中插入可移动存储介质';    SHCNE_MEDIAREMOVED: sEvent := strPath1+'中移去可移动存储介质'+strPath1+' '+strpath2;    SHCNE_DRIVEREMOVED: sEvent := '移去驱动器'+strPath1;    SHCNE_DRIVEADD: sEvent := '添加驱动器'+strPath1;    SHCNE_NETSHARE: sEvent := '改变目录'+strPath1+'的共享属性';    SHCNE_ATTRIBUTES: sEvent := '改变文件目录属性文件名'+strPath1;    SHCNE_UPDATEDIR: sEvent := '更新目录'+strPath1;    SHCNE_UPDATEITEM: sEvent := '更新文件文件名：'+strPath1;    SHCNE_SERVERDISCONNECT: sEvent := '断开与服务器的连接'+strPath1+' '+strpath2;    SHCNE_UPDATEIMAGE: sEvent := 'SHCNE_UPDATEIMAGE';    SHCNE_DRIVEADDGUI: sEvent := 'SHCNE_DRIVEADDGUI';    SHCNE_RENAMEFOLDER: sEvent := '重命名文件夹'+strPath1+'为'+strpath2;    SHCNE_FREESPACE: sEvent := '磁盘空间大小改变';    SHCNE_ASSOCCHANGED: sEvent := '改变文件关联';  else    sEvent:='未知操作'+IntToStr(lParam);  end;  Result:=sEvent; end; function SHNotify_Register(hWnd : Integer) : Bool; var  ps

IDLSTRUCT; begin  {$R-}  Result:=False;  If m_hSHNotify = 0 then begin    file://获取桌面文件夹的Pidl    if SHGetSpecialFolderLocation(0, CSIDL_DESKTOP,        m_pidlDesktop)<> NOERROR then        Form1.close;    if Boolean(m_pidlDesktop) then begin      ps.bWatchSubFolders := 1;      ps.pidl := m_pidlDesktop;      // 利用SHChangeNotifyRegister函数注册系统消息处理      m_hSHNotify := SHChangeNotifyRegister(hWnd, (SHCNF_TYPE Or SHCNF_IDLIST),                                          (SHCNE_ALLEVENTS Or SHCNE_INTERRUPT),                                          WM_SHNOTIFY, 1, ps);      Result := Boolean(m_hSHNotify);    end    Else      // 如果出现错误就使用 CoTaskMemFree函数来释放句柄      CoTaskMemFree(m_pidlDesktop);  End;  {$R+} end; function SHNotify_UnRegister:Bool; begin  Result:=False;  If Boolean(m_hSHNotify) Then    file://取消系统消息监视，同时释放桌面的Pidl    If Boolean(SHChangeNotifyDeregister(m_hSHNotify)) Then begin      {$R-}      m_hSHNotify := 0;      CoTaskMemFree(m_pidlDesktop);      Result := True;      {$R-}    End; end; procedure TForm1.WMShellReg(var Message:TMessage);      file://系统消息处理函数 var  strPath1,strPath2:String;  charPath:array[0..259]of char;  pidlItem

SHNOTIFYSTRUCT; begin  pidlItem:=PSHNOTIFYSTRUCT(Message.wParam);  file://获得系统消息相关得路径  SHGetPathFromIDList(pidlItem.dwItem1,charPath);  strPath1:=charPath;  SHGetPathFromIDList(pidlItem.dwItem2,charPath);  strPath2:=charPath;  Memo1.Lines.Add(SHEvEntName(strPath1,strPath2,Message.lParam)+chr(13)+chr(10)); end; procedure TForm1.FormClose(Sender: TObject; var Action: TCloseAction); begin  file://在程序退出的同时删除监视  if Boolean(m_pidlDesktop) then    SHNotify_Unregister; end; procedure TForm1.Button1Click(Sender: TObject); file://Button1的Click消息 begin  m_hSHNotify:=0;  if SHNotify_Register(Form1.Handle) then begin file://注册Shell监视    ShowMessage('Shell监视程序成功注册');    Button1.Enabled := False;  end  else    ShowMessage('Shell监视程序注册失败'); end; procedure TForm1.FormCreate(Sender: TObject); begin  Button1.Caption := '打开监视'; end; end. /////////////////////////// 具体例子看我的程序 http://www.onlinedown.net/soft/13479.htm 中的操作监视。不管什么文件删除改名都可以监视到。给分吧

fuxiaojie · 2005-12-30

编译不了呀，有个错误。

fxh7622 · 2005-12-30

打个记号，不用给分。 我能想到的是使用HOOK来HOOK createfile，openfile等等的函数。然后记录！

cangyu · 2005-12-30

fuxiaojie · 2005-12-30

case lParam of        file:是什么意思呀，提示有语法错误。

网中戏 · 2005-12-30

file是说明啊把它去了。

fuxiaojie · 2005-12-30

运行的时候ps.bWatchSubFolders := 1;会出现异常。

网中戏 · 2005-12-30

不好意思啊，上面是D5的代码。D6以上需要增加一句 function SHNotify_Register(hWnd : Integer) : Bool; var  ps

IDLSTRUCT; begin  {$R-}  Result:=False;  If m_hSHNotify = 0 then begin    [red]new(ps);//这里要给它空间，/////////////////////////////////////[/red]    //获取桌面文件夹的Pidl    if SHGetSpecialFolderLocation(0, CSIDL_DESKTOP,        m_pidlDesktop)<> NOERROR then        Form1.close;    if Boolean(m_pidlDesktop) then begin      ps.bWatchSubFolders := 1;      ps.pidl := m_pidlDesktop;      // 利用SHChangeNotifyRegister函数注册系统消息处理      m_hSHNotify := SHChangeNotifyRegister(hWnd, (SHCNF_TYPE Or SHCNF_IDLIST),                                          (SHCNE_ALLEVENTS Or SHCNE_INTERRUPT),                                          WM_SHNOTIFY, 1, ps);      Result := Boolean(m_hSHNotify);    end    Else      // 如果出现错误就使用 CoTaskMemFree函数来释放句柄      CoTaskMemFree(m_pidlDesktop);  End;  {$R+} end;

如何记录文件什么时候被拷贝、删除。 ( 积分: 100 )

fuxiaojie

Unregistered / Unconfirmed

fuxiaojie

Unregistered / Unconfirmed

wuliao2345

Unregistered / Unconfirmed

网中戏

Unregistered / Unconfirmed

fuxiaojie

Unregistered / Unconfirmed

fxh7622

Unregistered / Unconfirmed

cangyu

Unregistered / Unconfirmed

fuxiaojie

Unregistered / Unconfirmed

网中戏

Unregistered / Unconfirmed

fuxiaojie

Unregistered / Unconfirmed

网中戏

Unregistered / Unconfirmed

Similar threads