Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results
Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.More Info on Driver Writing and Debugging
The free OSR Learning Library has more than 50 articles on a wide variety of topics about writing and debugging device drivers and Minifilters. From introductory level to advanced. All the articles have been recently reviewed and updated, and are written using the clear and definitive style you've come to expect from OSR over the years.
Check out The OSR Learning Library at: https://www.osr.com/osr-learning-library/
How to send FSCTL_GET_RETRIEVAL_POINTERS for NTFS metadata files ($Mft,$Bitmap,etc.)
Alexander_Sereda
Member - All Emails Posts: 3
in NTFSD
I write a File System Minifilter Driver and during PreWrite callback I need to convert received "offset" value from file based to volume based. I need this conversion for subsequent entry to my volume log file. So I use FSCTL_GET_RETRIEVAL_POINTERS for this purposes:
FLT_PREOP_CALLBACK_STATUS
AAFsPreWrite(
__inout PFLT_CALLBACK_DATA Cbd,
__in PCFLT_RELATED_OBJECTS FltObjects,
__deref_out_opt PVOID* CompletionContext)
{
...
const PointersBufferSize = 1024;
PointersBuffer = ExAllocatePoolWithTag(PagedPool, PointersBufferSize, AAFS_TEMPORARY_POOL_TAG);
if (NULL == PointersBuffer)
{
Status = STATUS_INSUFFICIENT_RESOURCES;
leave;
}
...
STARTING_VCN_INPUT_BUFFER StartingVcn = { 0 };
Status = FltFsControlFile(Cbd->Iopb->TargetInstance, Cbd->Iopb->TargetFileObject,
FSCTL_GET_RETRIEVAL_POINTERS, &StartingVcn, sizeof(StartingVcn), PointersBuffer, PointersBufferSize, NULL);
...
}
It works fine for any files but when I receive the write packet for metadata files like $Mft or $Bitmap I always got STATUS_INVALID_PARAMETER in FSCTL_GET_RETRIEVAL_POINTERS return value.
I've already read https://www.osronline.com/showthread.cfm?link=178462 and seems like FSCTL_GET_RETRIEVAL_POINTERS is the best way to get the LCN of NTFS metadata files, but what's wrong in my case?
FLT_PREOP_CALLBACK_STATUS
AAFsPreWrite(
__inout PFLT_CALLBACK_DATA Cbd,
__in PCFLT_RELATED_OBJECTS FltObjects,
__deref_out_opt PVOID* CompletionContext)
{
...
const PointersBufferSize = 1024;
PointersBuffer = ExAllocatePoolWithTag(PagedPool, PointersBufferSize, AAFS_TEMPORARY_POOL_TAG);
if (NULL == PointersBuffer)
{
Status = STATUS_INSUFFICIENT_RESOURCES;
leave;
}
...
STARTING_VCN_INPUT_BUFFER StartingVcn = { 0 };
Status = FltFsControlFile(Cbd->Iopb->TargetInstance, Cbd->Iopb->TargetFileObject,
FSCTL_GET_RETRIEVAL_POINTERS, &StartingVcn, sizeof(StartingVcn), PointersBuffer, PointersBufferSize, NULL);
...
}
It works fine for any files but when I receive the write packet for metadata files like $Mft or $Bitmap I always got STATUS_INVALID_PARAMETER in FSCTL_GET_RETRIEVAL_POINTERS return value.
I've already read https://www.osronline.com/showthread.cfm?link=178462 and seems like FSCTL_GET_RETRIEVAL_POINTERS is the best way to get the LCN of NTFS metadata files, but what's wrong in my case?
Howdy, Stranger!
| Upcoming OSR Seminars | ||
|---|---|---|
| OSR has suspended in-person seminars due to the Covid-19 outbreak. But, don't miss your training! Attend via the internet instead! | ||
| Internals & Software Drivers | 19-23 June 2023 | Live, Online |
| Writing WDF Drivers | 10-14 July 2023 | Live, Online |
| Kernel Debugging | 16-20 October 2023 | Live, Online |
| Developing Minifilters | 13-17 November 2023 | Live, Online |
Comments
command:
C:\WINDOWS\system32>fsutil file queryextents c:\$mft
VCN: 0x0 Clusters: 0xc820 LCN: 0xc0000
VCN: 0xc820 Clusters: 0xc817 LCN: 0xd1e409
VCN: 0x19037 Clusters: 0xc80a LCN: 0x2adc376
VCN: 0x25841 Clusters: 0xcb2f LCN: 0x3368eb2
VCN: 0x32370 Clusters: 0xb092 LCN: 0x7b4b496
VCN: 0x3d402 Clusters: 0x69be LCN: 0x5d5db20
However, I'm not sure about your approach. You certainly are going to have
problems sending this in the paging I/O path. Even in the user path, writes
can extend so the target VCN might not have an LCN allocated for it yet.
If you need to track volume writes then you should be at the volume level.
In the past we have correlated the volume I/O to file I/O with an assist
from a file system filter.
-scott
OSR
@OSRDrivers
-scott
OSR
fsutil looks fine.. could it use some another FSCTL for queryextents command?
Since my task is about to migrate from volume level to file filter level, maybe I should just find out the moment when VCN have LCN allocated for sure? For instance, in PostWrite callback or via some postponed workitem?
VCN: 0x0 Clusters: 0xc820 LCN: 0xc0000
VCN: 0xc820 Clusters: 0xc807 LCN: 0xa2e239
VCN: 0x19027 Clusters: 0xa3d9 LCN: 0x34cde3
C:\WINDOWS\system32>fsutil file queryextents c:\$bitmap
Error: Access is denied.
C:\WINDOWS\system32>fsutil file queryextents c:\$logfile
Error: Access is denied.
Seems like fsutil (run as Administrator) works not for all metadata files.
fsutil looks fine.. could it use some another FSCTL for queryextents
command?
</QUOTE>
ProcMon will pretty much tell you how fsutil works.
<QUOTE>
Since my task is about to migrate from volume level to file filter level,
maybe I should just find out the moment when VCN have LCN allocated for
sure? For instance, in PostWrite callback or via some postponed workitem?
</QUOTE>
It's internal to the file system. I'm not sure that you could ever always
accurately track the blocks of the file unless you open it exclusive, mark
the file as immovable (FSCTL_MARK_HANDLE/MARK_HANDLE_PROTECT_CLUSTERS), and
then query.
-scott
OSR
@OSRDrivers
-scott
OSR