File monitoring can provide valuable operational intelligence about various aspects of computer systems including performance, security, and user behavior; and, as such, is a common task for system administrators. Typically, when a computer file being monitored is written to by a process, such as a user mode application running on a computer system, a monitoring application (a second process running on the computer system) accesses that file, consumes the written-to data and associated metadata, and ingests it into a log or capture, or otherwise reports it. However, operating systems, such as Microsoft Windows®, are sensitive to file handle locking across separate processes. Accordingly, problems may occur when the application writing to the file assumes that it is the only process accessing that file. For example, when an application has closed a file and then uses the same file name to open and write to a file, a conflict can occur and the open call may fail when the monitoring application already has a file handle opened with the same name.
One approach to reducing this conflict is to implement some level of coordination between the monitoring process and the user mode application. But this can require pre-established or agreed-upon rules between the parties providing these processes. Moreover, under this approach, successful monitoring may be performed only with those applications or processes that have agreed to the pre-established rules. Thus, file monitoring would remain unavailable in many situations.