File Integrity Monitor

By default, the File Integrity Monitor does not monitor changes in system folders or the file system's housekeeping files in order to not clutter task reports with information about routine file changes performed constantly by the operating system. The user cannot manually include such folders in the monitoring scope.

The following folders/files are excluded from the monitoring scope:

• NTFS housekeeping files with file id from 0 to 33
• "%SystemRoot%\\Prefetch\\"
• "%SystemRoot%\\ServiceProfiles\\LocalService\\AppData\\Local\\"
• "%SystemRoot%\\System32\\LogFiles\\Scm\\"
• "%SystemRoot%\\Microsoft.NET\\Framework\\v4.0.30319\\"
• "%SystemRoot%\\Microsoft.NET\\Framework64\\v4.0.30319\\"
• "%SystemRoot%\\Microsoft.NET\\"
• "%SystemRoot%\\System32\\config\\"
• "%SystemRoot%\\Temp\\"
• "%SystemRoot%\\ServiceProfiles\\LocalService\\"
• "%SystemRoot%\\System32\\winevt\\Logs\\"
• "%SystemRoot%\\System32\\wbem\\repository\\"
• "%SystemRoot%\\System32\\wbem\\Logs\\"
• "%ProgramData%\\Microsoft\\Windows\\WER\\ReportQueue\\"
• "%SystemRoot%\\SoftwareDistribution\\DataStore\\"
• "%SystemRoot%\\SoftwareDistribution\\DataStore\\Logs\\"
• "%ProgramData%\\Microsoft\\Windows\\AppRepository\\"
• "%ProgramData%\\Microsoft\\Search\\Data\\Applications\\Windows\\"
• "%SystemRoot%\\Logs\\SystemRestore\\"
• "%SystemRoot%\\System32\\Tasks\\Microsoft\\Windows\\TaskScheduler\\"

The application excludes top-level folders.

The component does not monitor files changes that bypass the ReFS/NTFS file system (file changes made through BIOS, LiveCD, etc.).