Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

Need a handle to pagefile.sys

Bob_KroeterBob_Kroeter Member Posts: 65
I would like to use FSCTL_GET_RETRIEVAL_POINTERS on special files that cannot be opened using CreateFile such as pagefile.sys. The intent is to send strictly this IOCTL to analyze the used clusters for statistical purposes. Is there a way to do this? If it can be done from user mode that would be ideal. Open to any other alternatives as well.

Comments

  • max_nemirovskymax_nemirovsky Member Posts: 9
    IoCreateFile(&hFile, SYNCHRONIZE, &oa, &iosb, 0, FILE_ATTRIBUTE_SYSTEM|FILE_ATTRIBUTE_HIDDEN, FILE_SHARE_VALID_FLAGS, FILE_OPEN, 0, 0, 0, CreateFileTypeNone, 0, IO_OPEN_PAGING_FILE);
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    Maybe wider DesiredAccess then SYNCHRONIZE will also work.

    READ_ATTRIBUTES, for instance.

    --
    Maxim S. Shatskih
    Windows DDK MVP
    xxxxx@storagecraft.com
    http://www.storagecraft.com

    <debora@te.net.ua> wrote in message news:xxxxx@ntfsd...
    > IoCreateFile(&hFile, SYNCHRONIZE, &oa, &iosb, 0, FILE_ATTRIBUTE_SYSTEM|FILE_ATTRIBUTE_HIDDEN, FILE_SHARE_VALID_FLAGS, FILE_OPEN, 0, 0, 0, CreateFileTypeNone, 0, IO_OPEN_PAGING_FILE);
    >
  • max_nemirovskymax_nemirovsky Member Posts: 9
    "Maybe wider DesiredAccess then SYNCHRONIZE will also work."-yes,will be work.simply FSCTL_GET_RETRIEVAL_POINTERS - accept any valid file handle.any special permission not need for this ioctl
  • Bob_KroeterBob_Kroeter Member Posts: 65
    This works, thank you. A couple followups:

    (1) I presume there is no way to do this without a driver.
    (2) Just out of curiousity would FSCTL_MOVE_FILE on pagefile.sys be valid or not?
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    There is nothing special about pagefile.sys itself. However, you will find it is not possible to move it when it is in use as a paging file, so you will find the circumstances in which it can be moved are limited. ANY file that has been opened as a paging file will face the same restrictions (and, lest you think this is surprising, note that the trick of opening a file as a paging file to obtain its physical block locations is a trick that has been used since NT 3.1, some 17 years ago.)

    Tony
    OSR
  • max_nemirovskymax_nemirovsky Member Posts: 9
    page file can be moved at boot time - if register self exe at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager - BootExecute
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 25 Feb 2019 OSR Seminar Space
Developing Minifilters 8 April 2019 OSR Seminar Space