I am using Sysinternals Process Monitor to debug some incoming events and now I am trying to create a filter on Path and using wildcards. What I am trying to use is to filter path which begin with c:\MyApp\MyDocuments\Temp and ends with .pdf
Path filter should look like this: c:\MyApp\MyDocuments\Temp*.pdf
How can I do this?
On
When you have two filters like this:
Path begins with c:\MyApp\MyDocuments\TempPath ends with .pdfWhat happens is anything that literally begins with that temp folder is included, and anywhere else a .pdf event is logged is included, so you'll get results you don't want. Stuff like this:
C:\MyApp\MyDocuments\Temp.txt (not a PDF)
C:\Some\Other\Folder\file.pdf (not the folder I want)
The Process Monitor help file explains why the begins with / ends with filters don't work together. From the help file:
Process Monitor ORs together all the filters that are related to a particular attribute type and ANDs together filters of different attribute types. For example, if you specified process name include filters for Notepad.exe and Cmd.exe and a path include filter for C:\Windows, Process Monitor would only display events originating in either Notepad.exe or Cmd.exe that specify the C:\Windows directory.
So because the filter entity is "Path" for both "begins with" and "ends with", Process monitor OR's them, and thus we get the noise we don't want. Here is a filter combo that works the way we want:
Path ends with .pdf IncludePath excludes C:\MyApp\MyDocuments\Temp ExcludeThe "exclude" relation operator behaves like a "does not contain" as far as I can tell. I can't find any specific documentation that lists all of the operators and what they do but that's what it seems. So even though we have two "Path" filters that will get OR'd, because one is Include and the other is Exclude, we get what we're after, which is only PDF's edited in that file path.
AFAIK, this is not possible. You can just use
begins withc:\MyApp\MyDocuments\Tempand another filterends with.pdf.