Detecting a clean shutdown

I’m writing a upper filter for disk volumes and I’d like to be able to
detect (at startup) if the system was shutdown cleanly. I’d rather not get
into file system specifics as this is a volume filter.

As part of my filter I am creating files on the volume with ZwCreateFile.
I’ve tried changing the contents of these during IRP_MJ_SHUTDOWN but these
attempts have been fruitless.

I’ve tried writing to the files, I’ve tried creating a file and I’ve tried
removing a file. These attempts result in a bugcheck in sr.sys.

So I’m looking for alternatives. I’m guessing that the shutdown is a little
too late in the day for making modifications to the file system. Is there
another reliable IRP or IOCTL I could use to change my clean shutdown flag a
little before the shutdown IRP or is there perhaps some recognised method
for detecting when a system is restarting after a crash?

Hope someone can help me onto the right track.

Thanks

Chris.

I seem to recall that, at least for NTFS, the way to check whether a volume was cleanly shut down from user mode (i.e. whether chkdsk would complain that it was needing checks after an non-kosher shutdown or not) was to use FSCTL_IS_VOLUME_DIRTY. Not sure if that is really what you want here, but perhaps it might lead you somewhere useful, if not.

  • S

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Chris Hall
Sent: Friday, August 08, 2008 10:59 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Detecting a clean shutdown

I’m writing a upper filter for disk volumes and I’d like to be able to
detect (at startup) if the system was shutdown cleanly. I’d rather not get
into file system specifics as this is a volume filter.

As part of my filter I am creating files on the volume with ZwCreateFile.
I’ve tried changing the contents of these during IRP_MJ_SHUTDOWN but these
attempts have been fruitless.

I’ve tried writing to the files, I’ve tried creating a file and I’ve tried
removing a file. These attempts result in a bugcheck in sr.sys.

So I’m looking for alternatives. I’m guessing that the shutdown is a little
too late in the day for making modifications to the file system. Is there
another reliable IRP or IOCTL I could use to change my clean shutdown flag a
little before the shutdown IRP or is there perhaps some recognised method
for detecting when a system is restarting after a crash?

Hope someone can help me onto the right track.

Thanks

Chris.


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

That’s perfect. Not only can I use it, the fact that is exists has made me
re-consider this part of my design and I can defer this action to my user
mode code thus simplifying things considerably.

Many thanks for you quick response.

Chris

“Skywing” wrote in message
news:xxxxx@ntdev…
I seem to recall that, at least for NTFS, the way to check whether a volume
was cleanly shut down from user mode (i.e. whether chkdsk would complain
that it was needing checks after an non-kosher shutdown or not) was to use
FSCTL_IS_VOLUME_DIRTY. Not sure if that is really what you want here, but
perhaps it might lead you somewhere useful, if not.

- S

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Chris Hall
Sent: Friday, August 08, 2008 10:59 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Detecting a clean shutdown

I’m writing a upper filter for disk volumes and I’d like to be able to
detect (at startup) if the system was shutdown cleanly. I’d rather not get
into file system specifics as this is a volume filter.

As part of my filter I am creating files on the volume with ZwCreateFile.
I’ve tried changing the contents of these during IRP_MJ_SHUTDOWN but these
attempts have been fruitless.

I’ve tried writing to the files, I’ve tried creating a file and I’ve tried
removing a file. These attempts result in a bugcheck in sr.sys.

So I’m looking for alternatives. I’m guessing that the shutdown is a little
too late in the day for making modifications to the file system. Is there
another reliable IRP or IOCTL I could use to change my clean shutdown flag a
little before the shutdown IRP or is there perhaps some recognised method
for detecting when a system is restarting after a crash?

Hope someone can help me onto the right track.

Thanks

Chris.


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

I’d imagine that there’s nothing preventing you from sending the FSCTL from kernel mode if you wanted to, as well (and, looking now, there even seems to be some WDK documentation talking about doing that).

  • S

-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Chris Hall
Sent: Friday, August 08, 2008 12:00 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Detecting a clean shutdown

That’s perfect. Not only can I use it, the fact that is exists has made me
re-consider this part of my design and I can defer this action to my user
mode code thus simplifying things considerably.

Many thanks for you quick response.

Chris

“Skywing” wrote in message
news:xxxxx@ntdev…
I seem to recall that, at least for NTFS, the way to check whether a volume
was cleanly shut down from user mode (i.e. whether chkdsk would complain
that it was needing checks after an non-kosher shutdown or not) was to use
FSCTL_IS_VOLUME_DIRTY. Not sure if that is really what you want here, but
perhaps it might lead you somewhere useful, if not.

- S

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Chris Hall
Sent: Friday, August 08, 2008 10:59 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Detecting a clean shutdown

I’m writing a upper filter for disk volumes and I’d like to be able to
detect (at startup) if the system was shutdown cleanly. I’d rather not get
into file system specifics as this is a volume filter.

As part of my filter I am creating files on the volume with ZwCreateFile.
I’ve tried changing the contents of these during IRP_MJ_SHUTDOWN but these
attempts have been fruitless.

I’ve tried writing to the files, I’ve tried creating a file and I’ve tried
removing a file. These attempts result in a bugcheck in sr.sys.

So I’m looking for alternatives. I’m guessing that the shutdown is a little
too late in the day for making modifications to the file system. Is there
another reliable IRP or IOCTL I could use to change my clean shutdown flag a
little before the shutdown IRP or is there perhaps some recognised method
for detecting when a system is restarting after a crash?

Hope someone can help me onto the right track.

Thanks

Chris.


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Any idea when the “Dirty” information gets set/cleared?

I’ve tried calling the FSCTL from user mode and it works fine but I always
get “Not Dirty” as the result even if I deliberately crash the system.

Chris

“Skywing” wrote in message
news:xxxxx@ntdev…
I’d imagine that there’s nothing preventing you from sending the FSCTL from
kernel mode if you wanted to, as well (and, looking now, there even seems to
be some WDK documentation talking about doing that).

- S

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Chris Hall
Sent: Friday, August 08, 2008 12:00 PM
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] Detecting a clean shutdown

That’s perfect. Not only can I use it, the fact that is exists has made me
re-consider this part of my design and I can defer this action to my user
mode code thus simplifying things considerably.

Many thanks for you quick response.

Chris

“Skywing” wrote in message
news:xxxxx@ntdev…
I seem to recall that, at least for NTFS, the way to check whether a volume
was cleanly shut down from user mode (i.e. whether chkdsk would complain
that it was needing checks after an non-kosher shutdown or not) was to use
FSCTL_IS_VOLUME_DIRTY. Not sure if that is really what you want here, but
perhaps it might lead you somewhere useful, if not.

- S

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Chris Hall
Sent: Friday, August 08, 2008 10:59 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Detecting a clean shutdown

I’m writing a upper filter for disk volumes and I’d like to be able to
detect (at startup) if the system was shutdown cleanly. I’d rather not get
into file system specifics as this is a volume filter.

As part of my filter I am creating files on the volume with ZwCreateFile.
I’ve tried changing the contents of these during IRP_MJ_SHUTDOWN but these
attempts have been fruitless.

I’ve tried writing to the files, I’ve tried creating a file and I’ve tried
removing a file. These attempts result in a bugcheck in sr.sys.

So I’m looking for alternatives. I’m guessing that the shutdown is a little
too late in the day for making modifications to the file system. Is there
another reliable IRP or IOCTL I could use to change my clean shutdown flag a
little before the shutdown IRP or is there perhaps some recognised method
for detecting when a system is restarting after a crash?

Hope someone can help me onto the right track.

Thanks

Chris.


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Are you testing on NTFS or FAT? The behavior is different. Look at the
fastfat driver source and see who, when, and where it gets set.

“Chris Hall” wrote in message
news:xxxxx@ntdev…
> Any idea when the “Dirty” information gets set/cleared?
>
> I’ve tried calling the FSCTL from user mode and it works fine but I always
> get “Not Dirty” as the result even if I deliberately crash the system.
>
> Chris
>
> “Skywing” wrote in message
> news:xxxxx@ntdev…
> I’d imagine that there’s nothing preventing you from sending the FSCTL
> from kernel mode if you wanted to, as well (and, looking now, there even
> seems to be some WDK documentation talking about doing that).
>
> - S
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Chris Hall
> Sent: Friday, August 08, 2008 12:00 PM
> To: Windows System Software Devs Interest List
> Subject: Re:[ntdev] Detecting a clean shutdown
>
> That’s perfect. Not only can I use it, the fact that is exists has made me
> re-consider this part of my design and I can defer this action to my user
> mode code thus simplifying things considerably.
>
> Many thanks for you quick response.
>
> Chris
>
> “Skywing” wrote in message
> news:xxxxx@ntdev…
> I seem to recall that, at least for NTFS, the way to check whether a
> volume
> was cleanly shut down from user mode (i.e. whether chkdsk would complain
> that it was needing checks after an non-kosher shutdown or not) was to use
> FSCTL_IS_VOLUME_DIRTY. Not sure if that is really what you want here, but
> perhaps it might lead you somewhere useful, if not.
>
> - S
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of Chris Hall
> Sent: Friday, August 08, 2008 10:59 AM
> To: Windows System Software Devs Interest List
> Subject: [ntdev] Detecting a clean shutdown
>
> I’m writing a upper filter for disk volumes and I’d like to be able to
> detect (at startup) if the system was shutdown cleanly. I’d rather not get
> into file system specifics as this is a volume filter.
>
> As part of my filter I am creating files on the volume with ZwCreateFile.
> I’ve tried changing the contents of these during IRP_MJ_SHUTDOWN but these
> attempts have been fruitless.
>
> I’ve tried writing to the files, I’ve tried creating a file and I’ve tried
> removing a file. These attempts result in a bugcheck in sr.sys.
>
> So I’m looking for alternatives. I’m guessing that the shutdown is a
> little
> too late in the day for making modifications to the file system. Is there
> another reliable IRP or IOCTL I could use to change my clean shutdown flag
> a
> little before the shutdown IRP or is there perhaps some recognised method
> for detecting when a system is restarting after a crash?
>
> Hope someone can help me onto the right track.
>
> Thanks
>
> Chris.
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
>