Bytes missing in minifilter

Alex_Li-2 · June 25, 2008, 4:46am

Hi,
I am writting a encryption\decryption minifilter driver.I am in a trouble.

In my filter, I encrypted data in noncached prewrite, and flush & purge the whole file in cleanup operation.

I opened wordpad.exe, and write about 50 kB data, the I saved it.

The promon log is :
WORDPAD.EXE WriteFile C:\1.rtf SUCCESS Offset: 0, Length: 4,095
WORDPAD.EXE ReadFile C:\1.rtf END OF FILE Offset: 0, Length: 4,096, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O
WORDPAD.EXE WriteFile C:\1.rtf SUCCESS Offset: 4,095, Length: 4,095
WORDPAD.EXE WriteFile C:\1.rtf SUCCESS Offset: 8,190, Length: 4,095
WORDPAD.EXE WriteFile C:\1.rtf SUCCESS Offset: 12,285, Length: 4,095
WORDPAD.EXE WriteFile C:\1.rtf SUCCESS Offset: 16,380, Length: 4,095
WORDPAD.EXE WriteFile C:\1.rtf SUCCESS Offset: 20,475, Length: 4,095
WORDPAD.EXE WriteFile C:\1.rtf SUCCESS Offset: 24,570, Length: 4,095
WORDPAD.EXE WriteFile C:\1.rtf SUCCESS Offset: 28,665, Length: 4,095
WORDPAD.EXE WriteFile C:\1.rtf SUCCESS Offset: 32,760, Length: 4,095
WORDPAD.EXE WriteFile C:\1.rtf SUCCESS Offset: 36,855, Length: 4,091
WORDPAD.EXE WriteFile C:\1.rtf SUCCESS Offset: 40,946, Length: 4,088
WORDPAD.EXE WriteFile C:\1.rtf SUCCESS Offset: 45,034, Length: 4,095
WORDPAD.EXE WriteFile C:\1.rtf SUCCESS Offset: 49,129, Length: 4,095
WORDPAD.EXE WriteFile C:\1.rtf SUCCESS Offset: 53,224, Length: 4,095
WORDPAD.EXE WriteFile C:\1.rtf SUCCESS Offset: 57,319, Length: 3,357
WORDPAD.EXE CloseFile C:\1.rtf SUCCESS
WORDPAD.EXE WriteFile C:\1.rtf SUCCESS Offset: 53,248, Length: 8,192, I/O Flags: Non-cached, Paging I/O, Synchronous Paging I/O
WORDPAD.EXE QueryOpen C:\1.rtf SUCCESS CreationTime: 2008-6-25 16:10:33, LastAccessTime: 2008-6-25 16:10:36, LastWriteTime: 2008-6-25 16:10:36, ChangeTime: 2008-6-25 16:10:36, AllocationSize: 65,536, EndOfFile: 61,952, FileAttributes: A
WORDPAD.EXE QueryOpen C:\1.rtf SUCCESS CreationTime: 2008-6-25 16:10:33, LastAccessTime: 2008-6-25 16:10:36, LastWriteTime: 2008-6-25 16:10:36, ChangeTime: 2008-6-25 16:10:36, AllocationSize: 65,536, EndOfFile: 61,952, FileAttributes: A

You can see, there was not nocached wirte from offset 0 to offset 53,248, so these data was not encrypted by my filter.
Where is the missing nocached write?
Thanks!

Alex_Li-2 · June 25, 2008, 10:54pm

Any help will be appreciated!
I know wordpad always create a file mapping for the file. So it can read or write data from memory directly.There may be isnot any cached read or write log in procmon.But, at the end the MM has to flush the data in memory back. There must be some paging write log in procmon.
Am I right?

David_J_Craig · June 26, 2008, 1:42am

If you know, why are you asking? I am certain that notepad.exe uses memory
mapping, but I have never heard that wordpad.exe uses that technique.

wrote in message news:xxxxx@ntfsd…
> Any help will be appreciated!
> I know wordpad always create a file mapping for the file. So it can read
> or write data from memory directly.There may be isnot any cached read or
> write log in procmon.But, at the end the MM has to flush the data in
> memory back. There must be some paging write log in procmon.
> Am I right?
>

Alex_Li-2 · June 27, 2008, 1:13am

Thanks David.
I am sorry for my stupid unstand about wordpad.
But why there wasn’t a noncached write log with offset 0?

I have fixed the problem in my filter. There is a noncached write with offset 0, issued by system.
But why I can’t see it in promon?