Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Home NTDEV

Before Posting...

Please check out the Community Guidelines in the Announcements and Administration Category.

More Info on Driver Writing and Debugging


The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.


Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/


NTFS Metadata files

OSR_Community_UserOSR_Community_User Member Posts: 110,217
Hi all,

how can I find out where the NTFS bitmap file resides ?

From my driver created system thread,
to issue FSCTL_GET_RETRIEVAL_POINTERS then, I open a file handle to
L"\\??\\:\\$Bitmap".

This fails with STATUS_ACCESS_DENIED, no matter what combinations of
DesiredAccess,FileAttributes,ShareAccess,FILE_OPEN,CreateOptions
I pass to ZwCreateFile.

Do defrag products ever move this file (and how if above fails) and can it consist of more than one extents ?

Regards
Else

________________________________
Utimaco Safeware AG
A member of the Sophos Group
Hohemarkstr. 22
61440 Oberursel
Germany

Registergericht Bad Homburg HRB 5302
WEEE-Reg.Nr.: DE39805015
Sitz: Oberursel
Vorstandsmitglieder: Steve Munford (Vorsitzender), Jeff Babka, Malte Pollmann, Olaf Siemens
Aufsichtsratsvorsitzender: Dr. Peter Lammer

Comments

  • Scott_Noone_(OSR)Scott_Noone_(OSR) Administrator Posts: 3,473
    I'm pretty sure NTFS explicitly protects this file from being opened. If you
    want to inspect it you'd probably have to dismount the volume and walk the
    structures yourself (or use an existing tool, I like the one from Runtime:
    http://www.runtime.org/diskexplorer.htm - no affiliation)

    -scott


    --
    Scott Noone
    Consulting Associate
    OSR Open Systems Resources, Inc.
    http://www.osronline.com


    "Else Kluger" <[email protected]> wrote in message news:[email protected]
    Hi all,

    how can I find out where the NTFS bitmap file resides ?

    From my driver created system thread,
    to issue FSCTL_GET_RETRIEVAL_POINTERS then, I open a file handle to
    L"\\??\\<drive>:\\$Bitmap".

    This fails with STATUS_ACCESS_DENIED, no matter what combinations of
    DesiredAccess,FileAttributes,ShareAccess,FILE_OPEN,CreateOptions
    I pass to ZwCreateFile.

    Do defrag products ever move this file (and how if above fails) and can it
    consist of more than one extents ?

    Regards
    Else



    Utimaco Safeware AG
    A member of the Sophos Group
    Hohemarkstr. 22
    61440 Oberursel
    Germany

    Registergericht Bad Homburg HRB 5302
    WEEE-Reg.Nr.: DE39805015
    Sitz: Oberursel
    Vorstandsmitglieder: Steve Munford (Vorsitzender), Jeff Babka, Malte
    Pollmann, Olaf Siemens
    Aufsichtsratsvorsitzender: Dr. Peter Lammer

    -scott
    OSR

  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    Hi,

    thanks Scott, we have some code in use to do what you suggest. I wanted to avoid using it in my driver.
    As regards possible future undocumented NTFS changes it's error prone.
    And it's gigantic and superfluous overhead for my purpose (just open to FSCTL_GET_RETRIEVAL_POINTERS),
    which I thought could be sufficed by using documented APIs.

    Regards
    Else
    -----Original Message-----
    From: [email protected] [mailto:[email protected]] On Behalf Of Scott Noone
    Sent: Freitag, 19. M?rz 2010 15:02
    To: Windows System Software Devs Interest List
    Subject: Re:[ntdev] NTFS Metadata files

    I'm pretty sure NTFS explicitly protects this file from being opened. If you
    want to inspect it you'd probably have to dismount the volume and walk the
    structures yourself (or use an existing tool, I like the one from Runtime:
    http://www.runtime.org/diskexplorer.htm - no affiliation)

    -scott


    --
    Scott Noone
    Consulting Associate
    OSR Open Systems Resources, Inc.
    http://www.osronline.com


    "Else Kluger" <[email protected]> wrote in message news:[email protected]
    Hi all,

    how can I find out where the NTFS bitmap file resides ?

    From my driver created system thread,
    to issue FSCTL_GET_RETRIEVAL_POINTERS then, I open a file handle to
    L"\\??\\<drive>:\\$Bitmap".

    This fails with STATUS_ACCESS_DENIED, no matter what combinations of
    DesiredAccess,FileAttributes,ShareAccess,FILE_OPEN,CreateOptions
    I pass to ZwCreateFile.

    Do defrag products ever move this file (and how if above fails) and can it
    consist of more than one extents ?

    Regards
    Else



    Utimaco Safeware AG
    A member of the Sophos Group
    Hohemarkstr. 22
    61440 Oberursel
    Germany

    Registergericht Bad Homburg HRB 5302
    WEEE-Reg.Nr.: DE39805015
    Sitz: Oberursel
    Vorstandsmitglieder: Steve Munford (Vorsitzender), Jeff Babka, Malte
    Pollmann, Olaf Siemens
    Aufsichtsratsvorsitzender: Dr. Peter Lammer


    ---
    NTDEV is sponsored by OSR

    For our schedule of WDF, WDM, debugging and other seminars visit:
    http://www.osr.com/seminars

    To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer


    Utimaco Safeware AG
    A member of the Sophos Group
    Hohemarkstr. 22
    61440 Oberursel
    Germany

    Registergericht Bad Homburg HRB 5302
    WEEE-Reg.Nr.: DE39805015
    Sitz: Oberursel
    Vorstandsmitglieder: Steve Munford (Vorsitzender), Jeff Babka, Malte Pollmann, Olaf Siemens
    Aufsichtsratsvorsitzender: Dr. Peter Lammer
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. Sign in or register to get started.

Upcoming OSR Seminars
OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead!
Internals & Software Drivers 7 February 2022 Live, Online
Kernel Debugging 21 March 2022 Live, Online
Developing Minifilters 23 May 2022 Live, Online
Writing WDF Drivers 12 September 2022 Live, Online