Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTFSD
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


FILE_STANDARD_INFORMATION::field_16 and field_17?

Ladislav_ZezulaLadislav_Zezula Member - All Emails Posts: 65
Hi,

for years, the structure of FILE_STANDARD_INFORMATION is defined like this:
[code]
2: kd> dt _FILE_STANDARD_INFORMATION
ntdll!_FILE_STANDARD_INFORMATION
+0x000 AllocationSize : _LARGE_INTEGER
+0x008 EndOfFile : _LARGE_INTEGER
+0x010 NumberOfLinks : Uint4B
+0x014 DeletePending : UChar
+0x015 Directory : UChar
[/code]

However, in the wcifs.sys driver (Windows 10 17134 x86), references offsets 16 and 17 of this structure (both 1 byte size, both zeros in my test case). Does anyone know what do these fields contain?

Comments

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,336
    FILE_STANDARD_INFORMATION_EX, from wdm.h:

    #if (_WIN32_WINNT >= _WIN32_WINNT_WINTHRESHOLD)
    typedef struct _FILE_STANDARD_INFORMATION_EX {
    LARGE_INTEGER AllocationSize;
    LARGE_INTEGER EndOfFile;
    ULONG NumberOfLinks;
    BOOLEAN DeletePending;
    BOOLEAN Directory;
    BOOLEAN AlternateStream;
    BOOLEAN MetadataAttribute;
    } FILE_STANDARD_INFORMATION_EX, *PFILE_STANDARD_INFORMATION_EX;
    #endif

    -scott
    OSR
    @OSRDrivers

    -scott
    OSR

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 15 Jun 2020 LIVE ONLINE
Writing WDF Drivers 22 June 2020 LIVE ONLINE
Internals & Software Drivers 28 Sept 2020 Dulles, VA