I’m working on a project using Win10IoT with the Universal Write Filter (UWF). For those unfamiliar with UWF, it’s a feature that redirects all write attempts on a protected volume to a virtual overlay, ensuring no modifications have been made to the protected (in this case O/S) volume across reboots. Enabling UWF disables page files, but at runtime with the UWF enabled, you can create and/or increase the page file sizes using SystemPropertiesAdvanced.exe.
After wasting time using WMI/CIM to adjust the page files, only to find out there is no way for the commit limit to increase without a reboot, I used DR. Memory’s strace tool on SystemPropertiesAdvanced.exe to try to figure out what exactly it was doing. Parsing the log, I came across the undocumented function NtCreatePagingFile, which gave me a nice:
NtCreatePagingFile
arg 0: 72/74 “\Device\HarddiskVolume2\pagefile.sys” (type=UNICODE_STRING*, size=0x4)
arg 1: (type=ULARGE_INTEGER*, size=0x4)
arg 2: (type=ULARGE_INTEGER*, size=0x4)
arg 3: 0x0 (type=unsigned int, size=0x4)
succeeded =>
retval: 0x0 (type=NTSTATUS, size=0x4)
…entry to go off of. I then wrote an application that enables the SE_CREATE_PAGEFILE_NAME privilege and tries to call NtCreatePagingFile with the appropriate NT file path. Unfortunately, the operation consistently fails with STATUS_OBJECT_NAME_NOT_FOUND. Something appears to be wrong with the “PUNICODE_STRING PageFileName” parameter. If I try something malformed, I get STATUS_OBJECT_NAME_INVALID, so it’s at least getting past the file name validation. I’ve tried ensuring the file exists, ensuring the file does not exist, altering the file’s permissions, etc. I’m afraid that I’m not sure exactly where I’m going wrong, and STATUS_OBJECT_NAME_NOT_FOUND doesn’t provide enough information for me to really dig into it further. Does anyone have any ideas?
Thank you!