Mini filter peformance issues while accessing network files

Hello Prasad,

I am not sure how to quantify the 6x performance degradation. At the
risk of stating the obvious, 2k8 onwards SMB2 is used for
2k8 <-> 2k8/Vista or 2k8 <-> Win7/R2, it has a redirector cache this
normally is suppose to speed enumeration and query
info operation for SMB2 clients. Is that enabled for you?

here is a small link for your reference:

http://technet.microsoft.com/en-us/library/ff686200(v=ws.10).aspx

what kind of traffic are you seeing on your netmon/ws trace, too many
disconnects? tree connects?

regards,
Amritanshu.

@Amritanshu, yes, you are right. If both ends (client and server) involve Windows 2008/Windows 7 machines, the degradation is much lower.

I did another experiment *without* our filter loaded. The test application gets the start tick, opens and closes the file on a network share 500 times, gets the end tick and prints the diff between end tick and start tick.

I ran the application on Windows 2008 R2 client. When the network share is hosted on Windows 2003 server, the application took around 850 ticks to complete. However, when the share is hosted on Windows 7 machine, the application took just 47 ticks to complete. That’s significant…

Thanks.
-Prasad

Welcome to the wonderful world of caching (and/or deferral).

Tony
OSR

The file server on Windows 7/Server 2008 takes advantage of a much improved oplock mechanism that allows it to cache more effectively than previous versions.

Does filter manager also release name information when last reference to the file goes away?

Yes.

Christian [MSFT]
This posting is provided “AS IS” with no warranties, and confers no rights.

Handle oplocks.

Further, in Windows 8, handle oplocks are now supported on directories; presumably this should allow caching of even more information (e.g., directory contents).

As an aside, it is interesting that while handle oplocks are supported in Windows 7, they’re actually a bit of a challenge to test as the ifs kit tests don’t actually exercise them.

Tony
OSR

Thank you all for the responses.

Unfortunately, we cannot expect all Windows machines in a network to run Vista/Windows 7(+) to benefit from the optimizations.

Hence, revisiting one of the question that I asked earlier: Is “short names not expanded” the only difference between FLT_FILE_NAME_NORMALIZED and FLT_FILE_NAME_OPENED? In that case, can we use some heuristic? e.g. Use FLT_FILE_NAME_OPENED and if the returned path contains any tildes then use FLT_FILE_NAME_NORMALIZED. Agreed, it will cause additional overheads for files accessed using short paths OR if the file genuinely contains tilde character. But at least for files that are accessed using long names, we can optimize?

Thanks.
-Prasad

Normalized names also resolve mount points.

xxxxx@vmware.com wrote:

Thank you all for the responses.

Unfortunately, we cannot expect all Windows machines in a network to run Vista/Windows 7(+) to benefit from the optimizations.

Hence, revisiting one of the question that I asked earlier: Is “short names not expanded” the only difference between FLT_FILE_NAME_NORMALIZED and FLT_FILE_NAME_OPENED? In that case, can we use some heuristic? e.g. Use FLT_FILE_NAME_OPENED and if the returned path contains any tildes then use FLT_FILE_NAME_NORMALIZED. Agreed, it will cause additional overheads for files accessed using short paths OR if the file genuinely contains tilde character. But at least for files that are accessed using long names, we can optimize?

Thanks.
-Prasad


Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.

I’m not sure how this would work with open by file ID or object ID. Of course, the simplest thing to do would be to simply try it. That’s what Ladislav’s excellent little testing tool is for - so you can open a file in various ways to see what happens, quickly and without extra programming effort.

Tony
OSR

This won’t work because not all short names have the tilde character. You would need to treat any name shorter than 8 characters as potentially a short name.

What do you use the name for?

Thanks,
Alex

Sent from my iPhone

On Aug 16, 2012, at 6:43 AM, Tony Mason wrote:

> I’m not sure how this would work with open by file ID or object ID. Of course, the simplest thing to do would be to simply try it. That’s what Ladislav’s excellent little testing tool is for - so you can open a file in various ways to see what happens, quickly and without extra programming effort.
>
> Tony
> OSR
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Are you back?

Mm
On Aug 16, 2012 7:29 AM, “Alex Carp” wrote:

> This won’t work because not all short names have the tilde character. You
> would need to treat any name shorter than 8 characters as potentially a
> short name.
>
> What do you use the name for?
>
> Thanks,
> Alex
>
> Sent from my iPhone
>
> On Aug 16, 2012, at 6:43 AM, Tony Mason wrote:
>
> > I’m not sure how this would work with open by file ID or object ID. Of
> course, the simplest thing to do would be to simply try it. That’s what
> Ladislav’s excellent little testing tool is for - so you can open a file in
> various ways to see what happens, quickly and without extra programming
> effort.
> >
> > Tony
> > OSR
> >
> >
> > —
> > NTFSD is sponsored by OSR
> >
> > For our schedule of debugging and file system seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

I am , but i’m in redmond at plugfest

Sent from my iPhone

On Aug 16, 2012, at 11:10 AM, “Martin O’Brien” wrote:

> Are you back?
>
> Mm
>
> On Aug 16, 2012 7:29 AM, “Alex Carp” wrote:
> This won’t work because not all short names have the tilde character. You would need to treat any name shorter than 8 characters as potentially a short name.
>
> What do you use the name for?
>
> Thanks,
> Alex
>
> Sent from my iPhone
>
> On Aug 16, 2012, at 6:43 AM, Tony Mason wrote:
>
> > I’m not sure how this would work with open by file ID or object ID. Of course, the simplest thing to do would be to simply try it. That’s what Ladislav’s excellent little testing tool is for - so you can open a file in various ways to see what happens, quickly and without extra programming effort.
> >
> > Tony
> > OSR
> >
> >
> > —
> > NTFSD is sponsored by OSR
> >
> > For our schedule of debugging and file system seminars visit:
> > http://www.osr.com/seminars
> >
> > To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
> — NTFSD is sponsored by OSR For our schedule of debugging and file system seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Outstanding.

mm

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Alex Carp
Sent: Thursday, August 16, 2012 12:41 PM
To: Windows File Systems Devs Interest List
Cc: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] Mini filter peformance issues while accessing network files

I am , but i’m in redmond at plugfest

Sent from my iPhone

On Aug 16, 2012, at 11:10 AM, “Martin O’Brien” wrote:

Are you back?

Mm

On Aug 16, 2012 7:29 AM, “Alex Carp” wrote:

This won’t work because not all short names have the tilde character. You would need to treat any name shorter than 8 characters as potentially a short name.

What do you use the name for?

Thanks,
Alex

Sent from my iPhone

On Aug 16, 2012, at 6:43 AM, Tony Mason wrote:

> I’m not sure how this would work with open by file ID or object ID. Of course, the simplest thing to do would be to simply try it. That’s what Ladislav’s excellent little testing tool is for - so you can open a file in various ways to see what happens, quickly and without extra programming effort.
>
> Tony
> OSR
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

— NTFSD is sponsored by OSR For our schedule of debugging and file system seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

@Dejan, ok, so, we may end up reporting the name without resolving mount points. I am thinking of using the heuristic only for network files.

@Tony, thanks for the pointer. I will give it a try. So you suspect that if the file is opened using file id, opened name may not return us the filename.

@Alex, are you saying that you can have long file names (that don’t fit in 8.3) whose corresponding short filename does not contain tilde character? I looked at http://en.wikipedia.org/wiki/8.3_filename and that doesn’t seem to be the case? We use the name in display and we may re-open the file with that name from our mini-filter.

Thanks.
-Prasad

Yup, that’s what i’m saying. Please don’t forget that it’s possible for a user to set the short name for a file directly as well.

In my opinion if all you do is display the name and use it to re-open then you can just the opened name and not the normalized one. I view the normalized name as necessary only when you’re trying to ‘understand’ the namespace, like when you need to compare paths or possibly do things based on the path ( for path-based policy and such).

Thanks,
Alex.

Sent from my iPhone

On Aug 17, 2012, at 2:35 AM, xxxxx@vmware.com wrote:

@Dejan, ok, so, we may end up reporting the name without resolving mount points. I am thinking of using the heuristic only for network files.

@Tony, thanks for the pointer. I will give it a try. So you suspect that if the file is opened using file id, opened name may not return us the filename.

@Alex, are you saying that you can have long file names (that don’t fit in 8.3) whose corresponding short filename does not contain tilde character? I looked at http://en.wikipedia.org/wiki/8.3_filename and that doesn’t seem to be the case? We use the name in display and we may re-open the file with that name from our mini-filter.

Thanks.
-Prasad


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

@Alex, thanks for pointing this out. However, I guess this is possible only if the end user explicitly sets the short name directly? If the short name is OS generated, then, it will always contain tilde (assuming that the file name doesn’t fit in 8.3) right?

My concern was actually around backward compatibility. Our filter is consumed by third parties and so far we were returning them normalized names. With the change, we will start returning opened names instead and hence I wanted to understand the differences and see if it can affect them.

We are trying to keep the deviation minimal. We are returning opened names only for network files. If the opened name contains tilde, then, we return normalized name.

Based on the discussion so far, there are few cases which we need to worry about.

  1. An explicit short name was set which doesn’t not contain tilde and the file was originally opened using short name. We will end up sending short filename in this case.
  2. Mount points are not resolved. We will end up returning path containing mount point instead of resolved path.
  3. If the file is opened by id. I looked at Ladislav’s sample to open file by id. However, apparently, it’s not possible to open the file on network with id? Hence, this is probably a mute point?
  4. Any other case that you can think off?

Thanks.
-Prasad

  1. I’m not sure whether the function used by the OS to generate short names
    (RtlGenerate8dot3Name) is guaranteed to always return names containing ~. I
    can’t find anything in the documentation and the disassembly looks rather
    nasty :(, but from what I see (again, not 100% certain) it does seem to only
    generate names with ~.
  2. since you’re calling it from PostOpCreate (I assume you mean successful
    creates here) I’m not sure why you’d not see the mount points not resolved.
    I expect they’d be resolved by the IO manager by the time the IRP_MJ_CREATE
    you’re looking at was issued.
  3. as far as I can tell you can’t open a file by fileID or objectID over SMB
    (I’m looking at the 2.2.13 SMB2 CREATE Request document on MSDN ->
    http://msdn.microsoft.com/en-us/library/cc246502(v=prot.13).aspx, which
    states that for the FILE_OPEN_BY_FILE_ID create option “This bit SHOULD be
    set to 0 and the server MUST fail the request with a STATUS_NOT_SUPPORTED
    error if this bit is set.<34>” ).

Thanks,
Alex.

Thanks Alex.

Yes, we are calling it from PostOpCreate. Dejan mentioned earlier that “Normalized names also resolve mount points.”. Hence, I thought that opened name do not resolve it. I will confirm this though.

Thanks.
-Prasad

RtlGenerate8dot3Name happens to always generate names with ~ in them for now. This is an implementation detail that should not be relied upon to remain true. The algorithm for generating short names has changed in the past, and may change in the future.

See the “Remarks” section of http://msdn.microsoft.com/en-us/library/windows/hardware/ff544633(v=vs.85).aspx for the definitions of what constitutes a “normalized”, “opened”, and “short” name. That section notes that mount points are not resolved in a query for FLT_FILE_NAME_OPENED. After all, the “opened name” is the name that the caller used to open the file. If the Filter Manager resolved mount points in a query for the opened name, it would no longer be the name the caller used.

Mount points do of course get resolved during the open so that the actual object being opened can be accessed, but that doesn’t have a bearing on the name string you get back when requesting the opened name from Filter Manager.

Christian [MSFT]
This posting is provided “AS IS” with no warranties, and confers no rights.

Wait, so my assumption up to this point has been that that opened name is
not exactly “the name the caller used” but rather the “the name the IO
manager used when issuing the IRP_MJ_CREATE”. So for a case where you have
\Device\HarddiskVolume1\foo.txt which reparses to
\Device\HarddiskVolume2\bar.txt, the name the caller used might have been
“c:\foo~1.txt” or “\Device\HarddiskVolume1\foo~1.txt” and the opened name
for the first IRP_MJ_CREATE would be “\Device\HarddiskVolume1\ foo~1.txt”
and the opened name for the second IRP_MJ_CREATE would be
“\Device\HarddiskVolume2\bar.txt”. Is this not the case?

Thanks,
Alex.

I never actually tested it with Opened, since we require Normalized for any successful Post op.

xxxxx@vmware.com wrote:

Thanks Alex.

Yes, we are calling it from PostOpCreate. Dejan mentioned earlier that “Normalized names also resolve mount points.”. Hence, I thought that opened name do not resolve it. I will confirm this though.

Thanks.
-Prasad


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer


Kind regards, Dejan (MSN support: xxxxx@alfasp.com)
http://www.alfasp.com
File system audit, security and encryption kits.