Monitor file changes in Windows with PowerShell and pswatch

• Author
• Recent Posts

Dan Franciscus

Dan Franciscus is a systems engineer and VMware Certified Professional (VCP) specializing in VMware, PowerShell, and other Microsoft-based technologies. You can reach Dan at his blog or his Twitter at @dan_franciscus.

Latest posts by Dan Franciscus (see all)

• SolarWinds Server Performance and Configuration Bundle - Tue, Jun 18 2019
• SolarWinds Patch Manager: Updating Windows and third-party software - Tue, Apr 30 2019
• Monitor file changes in Windows with PowerShell and pswatch - Fri, Feb 1 2019

How pswatch works

Pswatch is actually fairly simple in its design as it uses the .NET class System.IO.FileSystemWatcher. It returns the full path to any created, changed, deleted, or renamed file inside a directory. In addition, it can search within all subfolders of a directory.

A great feature of this module is that it continuously monitors directories, and since it writes the paths of files that change to the output, users can use a foreach loop in PowerShell and continuously perform logic on these objects. Obviously, there are numerous use cases for this.

Installing the module

The module unfortunately is not available in the PowerShell Gallery, but the creator's GitHub page does provide an installation PowerShell script that will create the module on a local machine. We can use this via Invoke-Expression:

PS C:\Users\dan\Documents> iex ((new-object net.webclient).DownloadString("http://bit.ly/Install-PsWatch"))
Creating module directory
Downloading and installing
Installed!
Use "Import-Module pswatch" and then "watch"
PS C:\Users\dan\Documents> Import-Module pswatch

Monitoring a folder and sending email alerts

One simple example of using the module is monitoring a folder for changes and then emailing a user when a change occurs. To use the pswatch module, we use the command watch and follow this with a path to the folder we want to monitor. Here is an example of code that would do just that:

C:\> watch c:\examplefolder -includeDeleted | foreach {
>> Write-Output "Change made on $($_.Path)"
>> Send-MailMessage -Body $_.Path -From alerts@domain.com
>> -SmtpServer smtp.domain.com -Subject 'Change found' -To dan@domain.com
>> }
Change made on c:\examplefolder\test\Newfile.txt

As you can see, the output is a string "Change made on" and the path to the created, modified, renamed, or deleted file.

A look into PowerShell help shows us the possible parameters for watch. These include location, subdirectories, changed files, renamed files, created files, and deleted files. All default to true except for deleted files, which is false.

C:\> Get-Help watch -Parameter * | Select-String -Pattern '-'

-location <String>
-includeSubdirectories [<SwitchParameter>]
-includeChanged [<SwitchParameter>]
-includeRenamed [<SwitchParameter>]
-includeCreated [<SwitchParameter>]
-includeDeleted [<SwitchParameter>]

Running pswatch as a service

Since we can use pswatch continuously, it makes it a great candidate for a Windows service that runs in the background at all times. The easiest way I found to do this was using a tool called nssm, which I found in Brandon Olin's post. Here, I use the same method Brandon used to create and start a service called "WatchExample," which is just a script containing my watch command used previously:

Creating a service running pswatch

Wrap-up

PowerShell is not really known as a great tool for monitoring, but pswatch may be an exception to that thought. There are many use cases for using pswatch, even in DevOps scenarios such as kicking off unit tests as José states in the GitHub repository readme.