I would like to be able to monitor certain system calls made by a process, primarily file I/O calls. On Linux I can probably get away using strace with suitable parameters, but how can I do this on Windows?

I'm primarily interested in running a process and figuring out which files it has read and written.

I want to do this programmatically from another process. I'm aware of Process Monitor, but I would like to receive the data in a form which I can import into another program for further analysis.

If I narrow down my requirements even further, it is probably enough to be able to monitor calls to CreateFile(). I'm really only interested in what files are opened, and if they are opened for read/write or just read. Another requirement which I didn't really state is that speed is fairly important; I was planning on doing this for things like compiling a C++-file, and pulling up a full GUI which generates a 20 MB logfile will have prohibitive overhead.

It would also be nice if it did not require administrative privileges.

There are several options on Windows.

Windows Performance Toolkit can be used to enable tracing of various system events, including file I/O, and includes tools for processing and viewing these events. You can use xperf to begin trace variously classes of events and save to an ETL file that you can then process or view using the same tools later.

Process Monitor from Sysinternals is another, very easy to use, option, and enables you to quickly see all file and registry accesses any process on the system is doing. You can also run Process Monitor in an automated fashion.

If you'd like to do this completely programmatically, you can use the ETW functions (StartTrace, EnableTrace, etc.) to snap file I/O events and save to an ETL file. Sample code here.

On Windows, you can use Process Monitor to monitor process activity (I/O and registry). I guess this fits your need if you don't really want to know the system calls.

And you can use winapioverride32 to monitor API calls.

API Monitor by Rohitab Batra is very good for system calls.

Use FileMon (now integrated into Process Monitor).

There is also NtTrace, similar to strace.

Another Windows API tracing tool: logexts.dll (part of the Debugging Tools for Windows), which can be run from inside WinDbg/ntsd/cdb or through a standalone logger.exe program.

Another way is to use Deviare API Hook and intercept all user-mode system calls that you want. Using this framework you can code a generic handler for all calls since the parameters can be read using COM interfaces (for example, each parameter is an INktParam, and you can get the value using INktParam.Value).

Another alternative, but it will cost some money, is to use SpyStudio from the same company. This product has a command-line option that is useful to collect logs without a GUI.

DTRACE

I want to mention this tool that was intentionally created for monitoring system calls in Solaris but later was ported to windows.

https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/dtrace

Unfortunately: Requires administrative privileges.

However I think it is possible to script this program to display exactly the CreateFile() syscall being executed.

Use strace. Example output:

open(".", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY|O_CLOEXEC) = 3
fstat64(3, {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
fcntl64(3, F_GETFD)                     = 0x1 (flags FD_CLOEXEC)
getdents64(3, /* 18 entries */, 4096)   = 496
getdents64(3, /* 0 entries */, 4096)    = 0
close(3)                                = 0
fstat64(1, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7f2c000
write(1, "autofs\nbackups\ncache\nflexlm\ngames"..., 86autofsA