Share via


Decoding the FileAttributes field in ProcessMonitor

Random tip: if you're using procmon.exe to monitor file system activity, you'll see a FileAttributes field with a bunch of letters.  It's not immediately obvious which letters correspond to which Win32 file attribute constants.  I asked around internally, and got the answer.  Blogging it here for general reference (and yes, the team does plan to update the docs with this).

 

            FILE_ATTRIBUTE_READONLY, _T("R"),

            FILE_ATTRIBUTE_HIDDEN, _T("H"),

            FILE_ATTRIBUTE_SYSTEM, _T("S"),

            FILE_ATTRIBUTE_DIRECTORY, _T("D"),

            FILE_ATTRIBUTE_ARCHIVE, _T("A"),

            FILE_ATTRIBUTE_DEVICE, _T("D"),

            FILE_ATTRIBUTE_NORMAL, _T("N"),

            FILE_ATTRIBUTE_TEMPORARY, _T("T"),

            FILE_ATTRIBUTE_SPARSE_FILE, _T("SF"),

            FILE_ATTRIBUTE_REPARSE_POINT, _T("RP"),

            FILE_ATTRIBUTE_COMPRESSED, _T("C"),

            FILE_ATTRIBUTE_OFFLINE, _T("O"),

            FILE_ATTRIBUTE_NOT_CONTENT_INDEXED, _T("NCI"),

            FILE_ATTRIBUTE_ENCRYPTED, _T("E"),

            FILE_ATTRIBUTE_VIRTUAL, _T("V"),