I trying to catch pagefile access with minispy sample from WinDDK.
While playing with privileges in usermode application (launch with administartive rights etc.), I have received operations with
pagefile and other system files like $Mft, $Bitmap…
Now I can’t repeat it. I have tested it under a few virtual machines - without any result. What can be wrong???
Driver wasn’t changed!
–
Pavel Sokolov
What do you want to achieve here.
As far as you will do operations on your file system (like file
creation/modification) I don’t see a reason that you won’t get
any $Mft and $Bitmap writes.
For pagefile writes, you can allocate a huge chunk of memory in your
application and fill it with some data and keep waiting.
Start other memory consuming applications, you should see pagefile writes
of whatever you have written in the memory (keep your physical memory less
to obtain good results).
If you are running multiple memory consuming apps, you should still see
pagefile writes.
But again, what is the problem here you want to solve.
-Deepak
2011/2/11 Pavel Sokolov
> I trying to catch pagefile access with minispy sample from WinDDK.
> While playing with privileges in usermode application (launch with
> administartive rights etc.), I have received operations with pagefile and
> other system files like $Mft, $Bitmap…
> Now I can’t repeat it. I have tested it under a few virtual machines -
> without any result. What can be wrong???
> Driver wasn’t changed!
>
>
> –
> Pavel Sokolov
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> What do you want to achieve here.
As far as you will do operations on your file system (like file creation/modification) I don’t see a reason that you won’t get
any $Mft and $Bitmap writes.But again, what is the problem here you want to solve.
Is it possible that I have installed driver in a wrong way or did something else wrong?
My user app install/uninstall the driver every time it starts/closes.
I doesn’t copy the driver to system32 and use it from an application folder.
–
Pavel Sokolov
Got it! That was my bug. I see pagefile, but not $LogFile or $Mft.
I trying to catch pagefile access with minispy sample from WinDDK.
While playing with privileges in usermode application (launch with administartive rights etc.), I have received operations
with pagefile and other system files like $Mft, $Bitmap…
Now I can’t repeat it. I have tested it under a few virtual machines - without any result. What can be wrong???
Driver wasn’t changed!
–
Pavel Sokolov
What was the bug? The answer might help someone in the future.
-scott
–
Scott Noone
Consulting Associate and Chief System Problem Analyst
OSR Open Systems Resources, Inc.
http://www.osronline.com
“Pavel Sokolov” wrote in message news:xxxxx@ntfsd…
Got it! That was my bug. I see pagefile, but not $LogFile or $Mft.
I trying to catch pagefile access with minispy sample from WinDDK.
While playing with privileges in usermode application (launch with
administartive rights etc.), I have received operations with pagefile and
other system files like $Mft, $Bitmap…
Now I can’t repeat it. I have tested it under a few virtual machines -
without any result. What can be wrong???
Driver wasn’t changed!
–
Pavel Sokolov
> What was the bug? The answer might help someone in the future.
I have waited for pagefileS.sys in user mode app instead of pagefile.sys 
Just a typo.
–
Pavel Sokolov