Windows has the concept of I/O filters which allow you to intercept all I/O operations and choose to perform additional actions as a result. They are primarily used for A/V type scenarios but can be programmed for a wide variety of tasks. The SysInternals Process Monitor for example uses a I/O filter to see the file level access.

Windows 具有 I/O 过滤器的概念，它允许您拦截所有 I/O 操作并选择执行其他操作作为结果。它们主要用于 A/V 类型的场景，但可以针对各种任务进行编程。例如，SysInternals Process Monitor 使用 I/O 过滤器来查看文件级访问。

You can view your current filters using MS Filter Manager, (fltmc.exe from a command prompt)

您可以使用 MS 过滤器管理器查看您当前的过滤器（命令提示符中的 fltmc.exe）

There is a kit to help you write filters, you can get the drivers and develop your own.

有一个工具包可以帮助您编写过滤器，您可以获取驱动程序并开发自己的驱动程序。

http://www.microsoft.com/whdc/driver/filterdrv/default.mspxis a starting place to get in depth info

http://www.microsoft.com/whdc/driver/filterdrv/default.mspx是获取深入信息的起点

As there is a .NET tag on this question, I would simply use System.IO.FileSystemWatcherthat's in the .NET Framework. I'm guessing it is implemented using the I/O Filters that Andrew mentions in his answer, but I really do not know (nor care, exactly). Would that fit your needs?

由于这个问题有一个 .NET 标记，我会简单地使用System.IO.FileSystemWatcher.NET Framework 中的标记。我猜它是使用Andrew 在他的回答中提到的 I/O 过滤器实现的，但我真的不知道（也不关心，确切地说）。那能满足你的需求吗？

As previously mentioned, a file copy operation can be implemented in various ways and may involve several disk and memory transfers, therefore is not possible to simply get notified by the system when such operation occurs. Even for the user, there are multiple ways to duplicate content and entire files. Copy commands, "save as", "send to", move, using various tools. Under the hood the copy operation is a succession of read / write, correlated by certain parameters. That is the only way to guarantee successful auditing. Hooking on CopyFile will not give you the copy operations of Total Commander, for example. Nor will it give you "Save as" operations which are in fact file create -> file content moved -> closing of original file -> opening of the new file. Then, things are different when dealing with copy over network, impersonated copy operations where the file handle security context is different than the process security context, and so on. I do not think that there is a straightforward way to achieve all of the above.

如前所述，文件复制操作可以通过多种方式实现，并且可能涉及多个磁盘和内存传输，因此在发生此类操作时不可能简单地得到系统通知。即使对于用户，也有多种方法可以复制内容和整个文件。使用各种工具复制命令、“另存为”、“发送到”、移动。在引擎盖下，复制操作是一系列读/写，由某些参数关联。这是保证审计成功的唯一方法。例如，钩住 CopyFile 不会给你 Total Commander 的复制操作。它也不会给您“另存为”操作，这些操作实际上是文件创建-> 文件内容移动-> 关闭原始文件-> 打开新文件。然后，在处理网络复制、文件句柄安全上下文与进程安全上下文不同的模拟复制操作等时，情况有所不同。我认为没有一种直接的方法可以实现上述所有目标。

However, there is a software that can notify you for most of the common copy operations (i.e. when they are performed through windows explorer, total commander, command prompt and other applications). It also gives you the source and destination file name, the timestamp and other relevant details. It can be found here: http://temasoft.com/products/filemonitor.

但是，有一个软件可以通知您大多数常见的复制操作（即当它们通过 Windows 资源管理器、总指挥官、命令提示符和其他应用程序执行时）。它还为您提供源和目标文件名、时间戳和其他相关详细信息。可在此处找到：http: //temasoft.com/products/filemonitor。

Note: I work for the company which develops this product.

注意：我在开发这个产品的公司工作。

As Andrew says a filter driver is the way to go.

正如安德鲁所说，过滤驱动程序是必经之路。

There is no foolproof way of detecting a file copy as different programs copy files in different ways (some may use the CopyFile API, others may just read one file and write out the contents to another themselves). You could try calculating a hash in your filter driver of any file opened for reading, and then do the same after a program finishes writing to a file. If the hashes match you know you have a file copy. However this technique may be slow. If you just hook the CopyFile API you will miss file copies made without that API. Java programs (to name but one) have no access to the CopyFile API.

检测文件副本没有万无一失的方法，因为不同的程序以不同的方式复制文件（有些可能使用 CopyFile API，其他可能只是读取一个文件并将内容写出到另一个自己）。您可以尝试在过滤器驱动程序中计算任何打开以供读取的文件的哈希值，然后在程序完成写入文件后执行相同的操作。如果哈希匹配，您就知道您有一个文件副本。然而，这种技术可能很慢。如果您只是挂钩 CopyFile API，您将错过没有该 API 的文件副本。Java 程序（仅举一例）无法访问 CopyFile API。

This is likely impossible as there is no guaranteed central method for performing a copy/move. You could hook into a core API (like CopyFile) but of course that means that you will still miss any copy/move that any application does without using this API.

这可能是不可能的，因为没有保证执行复制/移动的中央方法。您可以连接到核心 API（如 CopyFile），但这当然意味着您仍然会错过任何应用程序在不使用此 API 的情况下所做的任何复制/移动。

Maybe you could watch the entire filesystem with IO filters for open files and then just draw conclusions yourself if two files with same names and same filesizes are open at the same time. But that no 100% solution either.

也许您可以使用用于打开文件的 IO 过滤器查看整个文件系统，然后如果同时打开两个具有相同名称和相同文件大小的文件，您就可以自己得出结论。但这也不是 100% 的解决方案。