I would like to use FSCTL_GET_RETRIEVAL_POINTERS on special files that cannot be opened using CreateFile such as pagefile.sys. The intent is to send strictly this IOCTL to analyze the used clusters for statistical purposes. Is there a way to do this? If it can be done from user mode that would be ideal. Open to any other alternatives as well.
IoCreateFile(&hFile, SYNCHRONIZE, &oa, &iosb, 0, FILE_ATTRIBUTE_SYSTEM|FILE_ATTRIBUTE_HIDDEN, FILE_SHARE_VALID_FLAGS, FILE_OPEN, 0, 0, 0, CreateFileTypeNone, 0, IO_OPEN_PAGING_FILE);
Maybe wider DesiredAccess then SYNCHRONIZE will also work.
READ_ATTRIBUTES, for instance.
–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com
wrote in message news:xxxxx@ntfsd…
> IoCreateFile(&hFile, SYNCHRONIZE, &oa, &iosb, 0, FILE_ATTRIBUTE_SYSTEM|FILE_ATTRIBUTE_HIDDEN, FILE_SHARE_VALID_FLAGS, FILE_OPEN, 0, 0, 0, CreateFileTypeNone, 0, IO_OPEN_PAGING_FILE);
>
“Maybe wider DesiredAccess then SYNCHRONIZE will also work.”-yes,will be work.simply FSCTL_GET_RETRIEVAL_POINTERS - accept any valid file handle.any special permission not need for this ioctl
This works, thank you. A couple followups:
(1) I presume there is no way to do this without a driver.
(2) Just out of curiousity would FSCTL_MOVE_FILE on pagefile.sys be valid or not?
There is nothing special about pagefile.sys itself. However, you will find it is not possible to move it when it is in use as a paging file, so you will find the circumstances in which it can be moved are limited. ANY file that has been opened as a paging file will face the same restrictions (and, lest you think this is surprising, note that the trick of opening a file as a paging file to obtain its physical block locations is a trick that has been used since NT 3.1, some 17 years ago.)
Tony
OSR
page file can be moved at boot time - if register self exe at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager - BootExecute