copy page writes to page pool?

Hi

I have a question, probably a stupid question. A user process opens and
writes to a file. In my filter driver I see the user writes and I see the
page writes which happen because of the user writes.

I am assuming I can copy the data from the user writes to page pool or non
page pool as I wish. I am assuming I can copy the data from the page
writes to non page pool.

The question is can I copy the data from page writes to non page pool? I
know that the file was written by a user mode process, and that is not say
a system paging file or a registry file.

If anyone can shed any light on this question that would be very much
appreciated.

TIA - Lyndon

The question is … non page pool. Oops. This should have said page pool.
The question is whether i can copy the page writes to page pool.

TIA - Lyndon

That’s a tricky question. As long as the paging write is to a normal file, as opposed to PAGEFILE.SYS, you can copy the data to paged pool, although you must not try to copy it to a memory mapped file. However, if the write is for PAGEFILE.SYS, you cannot touch ANY pageable memory. If you break these rules, you risk deadlock in the VM system.

-----Original Message-----
From: Lyndon J. Clarke [mailto:xxxxx@gcplc.com]
Sent: Monday, November 11, 2002 9:09 AM
To: File Systems Developers
Subject: [ntfsd] Re: copy page writes to page pool?

The question is … non page pool. Oops. This should have said page pool.
The question is whether i can copy the page writes to page pool.

TIA - Lyndon

You are currently subscribed to ntfsd as: xxxxx@inin.com
To unsubscribe send a blank email to %%email.unsub%%

Hi Rob

Thanks for a speedy and helpful answer.

That’s a tricky question. As long as the paging write is to a normal =
file, as opposed to PAGEFILE.SYS, you can copy the data to paged pool, =

Great. I was a bit confused on that point, to say the least.

although you must not try to copy it to a memory mapped file. However, =

Oh dear, I was hoping to use a memory mapped file. If its not too much
bother, for my education, can you explain why not a memory mapped file
please.

if the write is for PAGEFILE.SYS, you cannot touch ANY pageable memory. =
If you break these rules, you risk deadlock in the VM system.

TIA - Lyndon

Hi

Lets forget about why we cant copy to the memory mapped file. It is easy
enough for me to avoid that. Sorry to be asking a pointless question
there.

> if the write is for PAGEFILE.SYS, you cannot touch ANY pageable memory. =
> If you break these rules, you risk deadlock in the VM system.

Here I could do with some advice not just for my education

So here I am in dispatch of IRP_MJ_WRITE and its paging. Is there any way
I can
tell here whether this page write is for a pagefile.sys?

It seems I cant ask the file system for the name and check this against
the names of the pagefiles, and I havent seen IRP_MJ_CREATE for the file.

TIA - Lyndon

If your filter loads early enough, you will see PAGEFILE.SYS be opened. This can be identified by the presence of SL_OPEN_PAGING_FILE in the flags field of IRP_MJ_CREATE. Otherwise, aside from some questionable heuristics, I don’t know of a good way to identify the paging file on W2K or NT4. As for XP, you can call FsRtlIsPagingFile.

-----Original Message-----
From: Lyndon J. Clarke [mailto:xxxxx@gcplc.com]
Sent: Monday, November 11, 2002 11:22 AM
To: File Systems Developers
Subject: [ntfsd] Re: copy page writes to page pool?

Hi

Lets forget about why we cant copy to the memory mapped file. It is easy
enough for me to avoid that. Sorry to be asking a pointless question
there.

> if the write is for PAGEFILE.SYS, you cannot touch ANY pageable memory. =
> If you break these rules, you risk deadlock in the VM system.

Here I could do with some advice not just for my education

So here I am in dispatch of IRP_MJ_WRITE and its paging. Is there any way
I can
tell here whether this page write is for a pagefile.sys?

It seems I cant ask the file system for the name and check this against
the names of the pagefiles, and I havent seen IRP_MJ_CREATE for the file.

TIA - Lyndon

You are currently subscribed to ntfsd as: xxxxx@inin.com
To unsubscribe send a blank email to %%email.unsub%%

I should be more explicit, SL_OPEN_PAGING_FILE is found in the flags field of the current stack location of IRP_MJ_CREATE.

-----Original Message-----
From: Fuller, Rob
Sent: Monday, November 11, 2002 12:02 PM
To: ‘File Systems Developers’
Subject: RE: [ntfsd] Re: copy page writes to page pool?

If your filter loads early enough, you will see PAGEFILE.SYS be opened. This can be identified by the presence of SL_OPEN_PAGING_FILE in the flags field of IRP_MJ_CREATE. Otherwise, aside from some questionable heuristics, I don’t know of a good way to identify the paging file on W2K or NT4. As for XP, you can call FsRtlIsPagingFile.

-----Original Message-----
From: Lyndon J. Clarke [mailto:xxxxx@gcplc.com]
Sent: Monday, November 11, 2002 11:22 AM
To: File Systems Developers
Subject: [ntfsd] Re: copy page writes to page pool?

Hi

Lets forget about why we cant copy to the memory mapped file. It is easy
enough for me to avoid that. Sorry to be asking a pointless question
there.

> if the write is for PAGEFILE.SYS, you cannot touch ANY pageable memory. =
> If you break these rules, you risk deadlock in the VM system.

Here I could do with some advice not just for my education

So here I am in dispatch of IRP_MJ_WRITE and its paging. Is there any way
I can
tell here whether this page write is for a pagefile.sys?

It seems I cant ask the file system for the name and check this against
the names of the pagefiles, and I havent seen IRP_MJ_CREATE for the file.

TIA - Lyndon

You are currently subscribed to ntfsd as: xxxxx@inin.com
To unsubscribe send a blank email to %%email.unsub%%

Hi Rob

Thanks again for your response. I have to apologise that I have one more
daft question.

If your filter loads early enough, you will see PAGEFILE.SYS be opened. =

I am struggling a bit to understand the boot time load order dependencies
I would need to see this. Can you suggest what the driver needs to load
after (well the FSD I can see that and before?

Once again thanks in advance. I really appreciate your advice here.

Kind regards
Lyndon

I don’t really have the bandwidth to answer this, at least not while working my day job. Does anybody have time to enumerate the differences in load order mechanisms among the myriad versions of NT and how that relates to various file system filter designs? I understand the problem well enough to realize it would take several pages for a thorough treatment of the subject. This would be a good candidate for an NT Insider article.

-----Original Message-----
From: Lyndon J. Clarke [mailto:xxxxx@gcplc.com]
Sent: Monday, November 11, 2002 12:24 PM
To: File Systems Developers
Subject: [ntfsd] Re: copy page writes to page pool?

Hi Rob

Thanks again for your response. I have to apologise that I have one more
daft question.

If your filter loads early enough, you will see PAGEFILE.SYS be opened. =

I am struggling a bit to understand the boot time load order dependencies
I would need to see this. Can you suggest what the driver needs to load
after (well the FSD I can see that and before?

Once again thanks in advance. I really appreciate your advice here.

Kind regards
Lyndon

You are currently subscribed to ntfsd as: xxxxx@inin.com
To unsubscribe send a blank email to %%email.unsub%%

Hi Rob

Thanks for all your invaluable help.

Kind regards
Lyndon

If you’re more specific about what platform for which you need information about the load order mechanism I might be able to help with that too. What’s your target platform? W2K? XP? NT4?

-----Original Message-----
From: Lyndon J. Clarke [mailto:xxxxx@gcplc.com]
Sent: Tuesday, November 12, 2002 7:53 AM
To: File Systems Developers
Subject: [ntfsd] Re: copy page writes to page pool?

Hi Rob

Thanks for all your invaluable help.

Kind regards
Lyndon

You are currently subscribed to ntfsd as: xxxxx@inin.com
To unsubscribe send a blank email to %%email.unsub%%

Hi Rob

Thanks so much. Its W2K at the moment. We might have to port back to NT4
(yuk!) sometime.

Kind regards
Lyndon

Do you have the NT4 DDK? The best reference for the load order mechanism for legacy (i.e. non Plug and Play drivers) is in the NT4 DDK help. Look under “Programmer’s Guide”, “Chapter 1 System Initialization Overview,” “1.2 Loading Drivers,” “1.2.5 Controlling Driver Load Order.”

Paraphrasing what it says, drivers are loaded in the following order:

1. By their Start key. Boot drivers (0x0) are started before System drivers (0x1) which are started before Auto drivers (0x2.)
2. The first two groups, Boot and System drivers can be further ordered by assigning Group keys to each of the drivers. The registry key “\Machine\System\CurrentControlSet\Control\ServiceGroupOrder” lists the order groups of drivers will be loaded within their Start key category.
3. Finally, the drivers in a group can be further ordered by assigning each a “Tag” key, and specifying the order in which these tagged drivers will be loaded through the “\Machine\Hardware\System\CurrentControlSet\Control\GroupOrderList” key.

Take the time to check these registry keys out. That should help make this clear.

Looking at “\Machine\System\CurrentControlSet\Control\ServiceGroupOrder” on my W2K box, a good place to load your filter may be at boot time between the “filter” and “boot file system” groups. I would insert my own group here named after my product, then make my driver a member of that group by giving it a “Group” key.

-----Original Message-----
From: Lyndon J. Clarke [mailto:xxxxx@gcplc.com]
Sent: Tuesday, November 12, 2002 10:00 AM
To: File Systems Developers
Subject: [ntfsd] Re: copy page writes to page pool?

Hi Rob

Thanks so much. Its W2K at the moment. We might have to port back to NT4
(yuk!) sometime.

Kind regards
Lyndon

You are currently subscribed to ntfsd as: xxxxx@inin.com
To unsubscribe send a blank email to %%email.unsub%%

Hi Rob

Once again, many thanks for your time and guidance.

Kind regards
Lyndon