Disk writes

Hello,
I would like to know if there is a way to catch all writes to local disk(s).

The question here:
are there any writes to the Disk (system disk) before the disk drivers / filters are loaded?

Thanks,
Yohai

The boot loader has a write routine, IIRC it is mainly used to write out
whether the boot loader was successful or failed. Even if you catch writes
in a filter, remember that people can do things like load the recovery
console, and unless you work at it a filter is not present there.

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
http://www.windrvr.com
Remove StopSpam from the email to reply

wrote in message news:xxxxx@ntfsd…
> Hello,
> I would like to know if there is a way to catch all writes to local
> disk(s).
>
> The question here:
> are there any writes to the Disk (system disk) before the disk drivers /
> filters are loaded?
>
> Thanks,
> Yohai
>
>

The hibernation and pagefile can be written to with a seperate disk stack
and no file system involvement. This will not change other files, but it is
a disk write.

wrote in message news:xxxxx@ntfsd…
> Hello,
> I would like to know if there is a way to catch all writes to local
> disk(s).
>
> The question here:
> are there any writes to the Disk (system disk) before the disk drivers /
> filters are loaded?
>
> Thanks,
> Yohai
>
>

> The hibernation and pagefile can be written to with a seperate disk stack

and no file system involvement.
Pagefile? Under what circumstances?
hiberfil.sys is clearly another story, but pagefile?

----- Original Message -----
From: “David J. Craig”
Newsgroups: ntfsd
To: “Windows File Systems Devs Interest List”
Sent: Sunday, November 05, 2006 11:41 AM
Subject: Re:[ntfsd] Disk writes

> The hibernation and pagefile can be written to with a seperate disk stack
> and no file system involvement. This will not change other files, but it
> is a disk write.
>
> wrote in message news:xxxxx@ntfsd…
>> Hello,
>> I would like to know if there is a way to catch all writes to local
>> disk(s).
>>
>> The question here:
>> are there any writes to the Disk (system disk) before the disk drivers /
>> filters are loaded?
>>
>> Thanks,
>> Yohai
>>
>>
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@comcast.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com

Crash dump writing.

–
Ken Johnson (Skywing)
Windows SDK MVP
http://www.nynaeve.net

“sh_alex” wrote in message news:xxxxx@ntfsd…
>> The hibernation and pagefile can be written to with a seperate disk stack
>> and no file system involvement.
> Pagefile? Under what circumstances?
> hiberfil.sys is clearly another story, but pagefile?
>
>
> ----- Original Message -----
> From: “David J. Craig”
> Newsgroups: ntfsd
> To: “Windows File Systems Devs Interest List”
> Sent: Sunday, November 05, 2006 11:41 AM
> Subject: Re:[ntfsd] Disk writes
>
>
>> The hibernation and pagefile can be written to with a seperate disk stack
>> and no file system involvement. This will not change other files, but it
>> is a disk write.
>>
>> wrote in message news:xxxxx@ntfsd…
>>> Hello,
>>> I would like to know if there is a way to catch all writes to local
>>> disk(s).
>>>
>>> The question here:
>>> are there any writes to the Disk (system disk) before the disk drivers /
>>> filters are loaded?
>>>
>>> Thanks,
>>> Yohai
>>>
>>>
>>
>>
>>
>> —
>> Questions? First check the IFS FAQ at
>> https://www.osronline.com/article.cfm?id=17
>>
>> You are currently subscribed to ntfsd as: xxxxx@comcast.net
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>

BSOD for one. I don’t think the alternate stack is used for a running OS
paging activities. On reboot after a BSOD how much of the conversion of the
pagefile to the dump file occurs in the normal FS and storage stack? I
don’t know. Can a program gain access to the alternate storage stack? If
the OS can, I suspect someone will find a way.

“sh_alex” wrote in message news:xxxxx@ntfsd…
>> The hibernation and pagefile can be written to with a seperate disk stack
>> and no file system involvement.
> Pagefile? Under what circumstances?
> hiberfil.sys is clearly another story, but pagefile?
>
>
> ----- Original Message -----
> From: “David J. Craig”
> Newsgroups: ntfsd
> To: “Windows File Systems Devs Interest List”
> Sent: Sunday, November 05, 2006 11:41 AM
> Subject: Re:[ntfsd] Disk writes
>
>
>> The hibernation and pagefile can be written to with a seperate disk stack
>> and no file system involvement. This will not change other files, but it
>> is a disk write.
>>
>> wrote in message news:xxxxx@ntfsd…
>>> Hello,
>>> I would like to know if there is a way to catch all writes to local
>>> disk(s).
>>>
>>> The question here:
>>> are there any writes to the Disk (system disk) before the disk drivers /
>>> filters are loaded?
>>>
>>> Thanks,
>>> Yohai
>>>
>>>
>>
>>
>>
>> —
>> Questions? First check the IFS FAQ at
>> https://www.osronline.com/article.cfm?id=17
>>
>> You are currently subscribed to ntfsd as: xxxxx@comcast.net
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>

“David J. Craig” wrote in message
news:xxxxx@ntfsd…
> BSOD for one. I don’t think the alternate stack is used for a running OS
> paging activities. On reboot after a BSOD how much of the conversion of
> the pagefile to the dump file occurs in the normal FS and storage stack?
> I don’t know. Can a program gain access to the alternate storage stack?
> If the OS can, I suspect someone will find a way.
>
The alternative stack is not activated until the BSOD, at least as of
Windows Server 2003 it was not used for anything else. I can’t speak about
hibernation, since the system I worked with did not have such a capability.

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
http://www.windrvr.com
Remove StopSpam from the email to reply

> Crash dump writing.
… which is not writing_into the pagefile anyway.
That was my point: I do not think that “pagefile can be written
to with a seperate disk stack”.
On BSOD pagefile is read (to form a dump).

----- Original Message -----
From: “Skywing”
Newsgroups: ntfsd
To: “Windows File Systems Devs Interest List”
Sent: Sunday, November 05, 2006 3:43 PM
Subject: Re:[ntfsd] Re:Disk writes

> Crash dump writing.
>
> –
> Ken Johnson (Skywing)
> Windows SDK MVP
> http://www.nynaeve.net
>
> “sh_alex” wrote in message news:xxxxx@ntfsd…
>>> The hibernation and pagefile can be written to with a seperate disk
>>> stack and no file system involvement.
>> Pagefile? Under what circumstances?
>> hiberfil.sys is clearly another story, but pagefile?
>>
>>
>> ----- Original Message -----
>> From: “David J. Craig”
>> Newsgroups: ntfsd
>> To: “Windows File Systems Devs Interest List”
>> Sent: Sunday, November 05, 2006 11:41 AM
>> Subject: Re:[ntfsd] Disk writes
>>
>>
>>> The hibernation and pagefile can be written to with a seperate disk
>>> stack and no file system involvement. This will not change other files,
>>> but it is a disk write.
>>>
>>> wrote in message news:xxxxx@ntfsd…
>>>> Hello,
>>>> I would like to know if there is a way to catch all writes to local
>>>> disk(s).
>>>>
>>>> The question here:
>>>> are there any writes to the Disk (system disk) before the disk drivers
>>>> / filters are loaded?
>>>>
>>>> Thanks,
>>>> Yohai
>>>>
>>>>
>>>
>>>
>>>
>>> —
>>> Questions? First check the IFS FAQ at
>>> https://www.osronline.com/article.cfm?id=17
>>>
>>> You are currently subscribed to ntfsd as: xxxxx@comcast.net
>>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>>
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@comcast.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com

Crash dumps are written directly to the paging file, using the physical
block offsets to the disk where the paging file resides. That is one of
the key reasons the location of the paging file is restricted (no
software striping for the boot volume.)

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of sh_alex
Sent: Sunday, November 05, 2006 7:27 PM
To: ntfsd redirect
Subject: Re: Re:[ntfsd] Re:Disk writes

Crash dump writing.
… which is not writing_into the pagefile anyway.
That was my point: I do not think that “pagefile can be written
to with a seperate disk stack”.
On BSOD pagefile is read (to form a dump).

----- Original Message -----
From: “Skywing”
Newsgroups: ntfsd
To: “Windows File Systems Devs Interest List”
Sent: Sunday, November 05, 2006 3:43 PM
Subject: Re:[ntfsd] Re:Disk writes

> Crash dump writing.
>
> –
> Ken Johnson (Skywing)
> Windows SDK MVP
> http://www.nynaeve.net
>
> “sh_alex” wrote in message news:xxxxx@ntfsd…
>>> The hibernation and pagefile can be written to with a seperate disk
>>> stack and no file system involvement.
>> Pagefile? Under what circumstances?
>> hiberfil.sys is clearly another story, but pagefile?
>>
>>
>> ----- Original Message -----
>> From: “David J. Craig”
>> Newsgroups: ntfsd
>> To: “Windows File Systems Devs Interest List”
>> Sent: Sunday, November 05, 2006 11:41 AM
>> Subject: Re:[ntfsd] Disk writes
>>
>>
>>> The hibernation and pagefile can be written to with a seperate disk
>>> stack and no file system involvement. This will not change other
files,
>>> but it is a disk write.
>>>
>>> wrote in message news:xxxxx@ntfsd…
>>>> Hello,
>>>> I would like to know if there is a way to catch all writes to local

>>>> disk(s).
>>>>
>>>> The question here:
>>>> are there any writes to the Disk (system disk) before the disk
drivers
>>>> / filters are loaded?
>>>>
>>>> Thanks,
>>>> Yohai
>>>>
>>>>
>>>
>>>
>>>
>>> —
>>> Questions? First check the IFS FAQ at
>>> https://www.osronline.com/article.cfm?id=17
>>>
>>> You are currently subscribed to ntfsd as: xxxxx@comcast.net
>>> To unsubscribe send a blank email to
xxxxx@lists.osr.com
>>
>>
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@comcast.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

Can someone explain how the crash dump write to disk, how the stack setup
for this (any link or document). What happen if the HBA/Adapter driver is
causing the crash ?

Thanks
Sisimon
On 11/6/06, Tony Mason wrote:
>
> Crash dumps are written directly to the paging file, using the physical
> block offsets to the disk where the paging file resides. That is one of
> the key reasons the location of the paging file is restricted (no
> software striping for the boot volume.)
>
> Tony
>
> Tony Mason
> Consulting Partner
> OSR Open Systems Resources, Inc.
> http://www.osr.com
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of sh_alex
> Sent: Sunday, November 05, 2006 7:27 PM
> To: ntfsd redirect
> Subject: Re: Re:[ntfsd] Re:Disk writes
>
> > Crash dump writing.
> … which is not writing_into the pagefile anyway.
> That was my point: I do not think that “pagefile can be written
> to with a seperate disk stack”.
> On BSOD pagefile is read (to form a dump).
>
>
> ----- Original Message -----
> From: “Skywing”
> Newsgroups: ntfsd
> To: “Windows File Systems Devs Interest List”
> Sent: Sunday, November 05, 2006 3:43 PM
> Subject: Re:[ntfsd] Re:Disk writes
>
>
> > Crash dump writing.
> >
> > –
> > Ken Johnson (Skywing)
> > Windows SDK MVP
> > http://www.nynaeve.net
> >
> > “sh_alex” wrote in message news:xxxxx@ntfsd…
> >>> The hibernation and pagefile can be written to with a seperate disk
> >>> stack and no file system involvement.
> >> Pagefile? Under what circumstances?
> >> hiberfil.sys is clearly another story, but pagefile?
> >>
> >>
> >> ----- Original Message -----
> >> From: “David J. Craig”
> >> Newsgroups: ntfsd
> >> To: “Windows File Systems Devs Interest List”
> >> Sent: Sunday, November 05, 2006 11:41 AM
> >> Subject: Re:[ntfsd] Disk writes
> >>
> >>
> >>> The hibernation and pagefile can be written to with a seperate disk
> >>> stack and no file system involvement. This will not change other
> files,
> >>> but it is a disk write.
> >>>
> >>> wrote in message news:xxxxx@ntfsd…
> >>>> Hello,
> >>>> I would like to know if there is a way to catch all writes to local
>
> >>>> disk(s).
> >>>>
> >>>> The question here:
> >>>> are there any writes to the Disk (system disk) before the disk
> drivers
> >>>> / filters are loaded?
> >>>>
> >>>> Thanks,
> >>>> Yohai
> >>>>
> >>>>
> >>>
> >>>
> >>>
> >>> —
> >>> Questions? First check the IFS FAQ at
> >>> https://www.osronline.com/article.cfm?id=17
> >>>
> >>> You are currently subscribed to ntfsd as: xxxxx@comcast.net
> >>> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
> >>
> >>
> >
> >
> >
> > —
> > Questions? First check the IFS FAQ at
> > https://www.osronline.com/article.cfm?id=17
> >
> > You are currently subscribed to ntfsd as: xxxxx@comcast.net
> > To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@osr.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

–
GCS d+ s: a- c++++ U> B+ L++>$ w++++$ W++(+++) PGP+N+ t PS+PE++ tv+(++) b+++
G+++ e++>(++++) h-- r
Don’t know this? See http://www.geekcode.com/geek.html

> Can someone explain how the crash dump write to disk
That’s a good question I certainly can not answer…
How is it possible that in order to dump memory, something is
written into pagefile, which is memory?
What if there is no fee space in a pagefile?
How pagefile contents ends up in memory.dmp?

The scheme I had in mind - obviously, a wrong one - was:

1. on BSOD freze the OS and load an additional, independent
   and probably simplified disk/FS stack;
2. open - using the FS - memory.dmp;
3. copy what’s needed (registers etc.), including the contents
   of phys. memory and pagefile.sys, into the dmp.

So pagefile is being read, dmp is being written, and the stack
obviously should be brand-new because you never know what
may be not working in the “normal” stack, imagine it’s your disk
or volume or fs filter that crashed (never happens, of course:-)

What is the correct scheme?

----- Original Message -----
From: Sisimon E S
To: Windows File Systems Devs Interest List
Sent: Monday, November 06, 2006 2:35 AM
Subject: Re: Re:[ntfsd] Re:Disk writes

Can someone explain how the crash dump write to disk, how the stack setup
for this (any link or document). What happen if the HBA/Adapter driver is
causing the crash ?
Thanks
Sisimon
On 11/6/06, Tony Mason wrote:
Crash dumps are written directly to the paging file, using the physical
block offsets to the disk where the paging file resides. That is one of
the key reasons the location of the paging file is restricted (no
software striping for the boot volume.)

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of sh_alex
Sent: Sunday, November 05, 2006 7:27 PM
To: ntfsd redirect
Subject: Re: Re:[ntfsd] Re:Disk writes

> Crash dump writing.
… which is not writing_into the pagefile anyway.
That was my point: I do not think that “pagefile can be written
to with a seperate disk stack”.
On BSOD pagefile is read (to form a dump).

----- Original Message -----
From: “Skywing” < xxxxx@valhallalegends.com>
Newsgroups: ntfsd
To: “Windows File Systems Devs Interest List”
Sent: Sunday, November 05, 2006 3:43 PM
Subject: Re:[ntfsd] Re:Disk writes

> Crash dump writing.
>
> –
> Ken Johnson (Skywing)
> Windows SDK MVP
> http://www.nynaeve.net
>
> “sh_alex” wrote in message news:xxxxx@ntfsd…
>>> The hibernation and pagefile can be written to with a seperate disk
>>> stack and no file system involvement.
>> Pagefile? Under what circumstances?
>> hiberfil.sys is clearly another story, but pagefile?
>>
>>
>> ----- Original Message -----
>> From: “David J. Craig”
>> Newsgroups: ntfsd
>> To: “Windows File Systems Devs Interest List” < xxxxx@lists.osr.com>
>> Sent: Sunday, November 05, 2006 11:41 AM
>> Subject: Re:[ntfsd] Disk writes
>>
>>
>>> The hibernation and pagefile can be written to with a seperate disk
>>> stack and no file system involvement. This will not change other
files,
>>> but it is a disk write.
>>>
>>> wrote in message news:xxxxx@ntfsd…
>>>> Hello,
>>>> I would like to know if there is a way to catch all writes to local

>>>> disk(s).
>>>>
>>>> The question here:
>>>> are there any writes to the Disk (system disk) before the disk
drivers
>>>> / filters are loaded?
>>>>
>>>> Thanks,
>>>> Yohai
>>>>
>>>>
>>>
>>>
>>>
>>> —
>>> Questions? First check the IFS FAQ at
>>> https://www.osronline.com/article.cfm?id=17
>>>
>>> You are currently subscribed to ntfsd as: xxxxx@comcast.net
>>> To unsubscribe send a blank email to
xxxxx@lists.osr.com
>>
>>
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@comcast.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

–
GCS d+ s: a- c++++ U> B+ L++>$ w++++$ W++(+++) PGP+N+ t PS+PE++ tv+(++) b+++
G+++ e++>(++++) h-- r
Don’t know this? See http://www.geekcode.com/geek.html — Questions? First
check the IFS FAQ at https://www.osronline.com/article.cfm?id=17 You are
currently subscribed to ntfsd as: xxxxx@comcast.net To unsubscribe send a
blank email to xxxxx@lists.osr.com

> How is it possible that in order to dump memory, something is

written into pagefile, which is memory?

Page file is not memory. You can consider the physical page frames as a
cache of pages from regular files( i.e. mapped files ) and from the
pagefiles( this memory usually is called anonymous, there are thread stacks
and dynamically allocated memory( including memory for paged kernel mode
code ) ). You may say that the pagefile is the part of the virtual memory,
but actually this is a backing store for anonymous pages.

The scheme I had in mind - obviously, a wrong one - was:

The scheme that I have in mind - the system writes physical page frames to
the pagefile and rewrites on the next start to the memory.dmp file.

–
Slava Imameyev, xxxxx@hotmail.com

“sh_alex” wrote in message news:xxxxx@ntfsd…
>> Can someone explain how the crash dump write to disk
> That’s a good question I certainly can not answer…
> How is it possible that in order to dump memory, something is
> written into pagefile, which is memory?
> What if there is no fee space in a pagefile?
> How pagefile contents ends up in memory.dmp?
>
> The scheme I had in mind - obviously, a wrong one - was:
> 1) on BSOD freze the OS and load an additional, independent
> and probably simplified disk/FS stack;
> 2) open - using the FS - memory.dmp;
> 3) copy what’s needed (registers etc.), including the contents
> of phys. memory and pagefile.sys, into the dmp.
>
> So pagefile is being read, dmp is being written, and the stack
> obviously should be brand-new because you never know what
> may be not working in the “normal” stack, imagine it’s your disk
> or volume or fs filter that crashed (never happens, of course:-)
>
> What is the correct scheme?
>
>
>
> ----- Original Message -----
> From: Sisimon E S
> To: Windows File Systems Devs Interest List
> Sent: Monday, November 06, 2006 2:35 AM
> Subject: Re: Re:[ntfsd] Re:Disk writes
>
>
> Can someone explain how the crash dump write to disk, how the stack setup
> for this (any link or document). What happen if the HBA/Adapter driver is
> causing the crash ?
> Thanks
> Sisimon
> On 11/6/06, Tony Mason wrote:
> Crash dumps are written directly to the paging file, using the physical
> block offsets to the disk where the paging file resides. That is one of
> the key reasons the location of the paging file is restricted (no
> software striping for the boot volume.)
>
> Tony
>
> Tony Mason
> Consulting Partner
> OSR Open Systems Resources, Inc.
> http://www.osr.com
>
>
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of sh_alex
> Sent: Sunday, November 05, 2006 7:27 PM
> To: ntfsd redirect
> Subject: Re: Re:[ntfsd] Re:Disk writes
>
>> Crash dump writing.
> … which is not writing_into the pagefile anyway.
> That was my point: I do not think that “pagefile can be written
> to with a seperate disk stack”.
> On BSOD pagefile is read (to form a dump).
>
>
> ----- Original Message -----
> From: “Skywing” < xxxxx@valhallalegends.com>
> Newsgroups: ntfsd
> To: “Windows File Systems Devs Interest List”
> Sent: Sunday, November 05, 2006 3:43 PM
> Subject: Re:[ntfsd] Re:Disk writes
>
>
>> Crash dump writing.
>>
>> –
>> Ken Johnson (Skywing)
>> Windows SDK MVP
>> http://www.nynaeve.net
>>
>> “sh_alex” wrote in message news:xxxxx@ntfsd…
>>>> The hibernation and pagefile can be written to with a seperate disk
>>>> stack and no file system involvement.
>>> Pagefile? Under what circumstances?
>>> hiberfil.sys is clearly another story, but pagefile?
>>>
>>>
>>> ----- Original Message -----
>>> From: “David J. Craig”
>>> Newsgroups: ntfsd
>>> To: “Windows File Systems Devs Interest List” < xxxxx@lists.osr.com>
>>> Sent: Sunday, November 05, 2006 11:41 AM
>>> Subject: Re:[ntfsd] Disk writes
>>>
>>>
>>>> The hibernation and pagefile can be written to with a seperate disk
>>>> stack and no file system involvement. This will not change other
> files,
>>>> but it is a disk write.
>>>>
>>>> wrote in message news:xxxxx@ntfsd…
>>>>> Hello,
>>>>> I would like to know if there is a way to catch all writes to local
>
>>>>> disk(s).
>>>>>
>>>>> The question here:
>>>>> are there any writes to the Disk (system disk) before the disk
> drivers
>>>>> / filters are loaded?
>>>>>
>>>>> Thanks,
>>>>> Yohai
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> —
>>>> Questions? First check the IFS FAQ at
>>>> https://www.osronline.com/article.cfm?id=17
>>>>
>>>> You are currently subscribed to ntfsd as: xxxxx@comcast.net
>>>> To unsubscribe send a blank email to
> xxxxx@lists.osr.com
>>>
>>>
>>
>>
>>
>> —
>> Questions? First check the IFS FAQ at
>> https://www.osronline.com/article.cfm?id=17
>>
>> You are currently subscribed to ntfsd as: xxxxx@comcast.net
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@osr.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
>
> –
> GCS d+ s: a- c++++ U> B+ L++>$ w++++$ W++(+++) PGP+N+ t PS+PE++ tv+(++)
> b+++ G+++ e++>(++++) h-- r
> Don’t know this? See http://www.geekcode.com/geek.html — Questions?
> First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17 You
> are currently subscribed to ntfsd as: xxxxx@comcast.net To unsubscribe
> send a blank email to xxxxx@lists.osr.com
>

There is an entirely different set of the necessary parts of the I/O stack that are necessary to write a dump loaded into the system that is specially activated in this case.

If something in the crash dump path is buggy, you will typically see crash dumps never getting written all the way ( either due to a system hang at the blue screen or unexpected immediate reboot before the dump writing was finished ).

–
Ken Johnson (Skywing)
Windows SDK MVP
http://www.nynaeve.net

“Sisimon E S” wrote in message news:xxxxx@ntfsd…
Can someone explain how the crash dump write to disk, how the stack setup for this (any link or document). What happen if the HBA/Adapter driver is causing the crash ?

Thanks
Sisimon

On 11/6/06, Tony Mason wrote:
Crash dumps are written directly to the paging file, using the physical
block offsets to the disk where the paging file resides. That is one of
the key reasons the location of the paging file is restricted (no
software striping for the boot volume.)

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of sh_alex
Sent: Sunday, November 05, 2006 7:27 PM
To: ntfsd redirect
Subject: Re: Re:[ntfsd] Re:Disk writes

> Crash dump writing.
… which is not writing_into the pagefile anyway.
That was my point: I do not think that “pagefile can be written
to with a seperate disk stack”.
On BSOD pagefile is read (to form a dump).

----- Original Message -----
From: “Skywing” < xxxxx@valhallalegends.com>
Newsgroups: ntfsd
To: “Windows File Systems Devs Interest List”
Sent: Sunday, November 05, 2006 3:43 PM
Subject: Re:[ntfsd] Re:Disk writes

> Crash dump writing.
>
> –
> Ken Johnson (Skywing)
> Windows SDK MVP
> http://www.nynaeve.net
>
> “sh_alex” wrote in message news:xxxxx@ntfsd…
>>> The hibernation and pagefile can be written to with a seperate disk
>>> stack and no file system involvement.
>> Pagefile? Under what circumstances?
>> hiberfil.sys is clearly another story, but pagefile?
>>
>>
>> ----- Original Message -----
>> From: “David J. Craig”
>> Newsgroups: ntfsd
>> To: “Windows File Systems Devs Interest List” < xxxxx@lists.osr.com>
>> Sent: Sunday, November 05, 2006 11:41 AM
>> Subject: Re:[ntfsd] Disk writes
>>
>>
>>> The hibernation and pagefile can be written to with a seperate disk
>>> stack and no file system involvement. This will not change other
files,
>>> but it is a disk write.
>>>
>>> wrote in message news:xxxxx@ntfsd…
>>>> Hello,
>>>> I would like to know if there is a way to catch all writes to local

>>>> disk(s).
>>>>
>>>> The question here:
>>>> are there any writes to the Disk (system disk) before the disk
drivers
>>>> / filters are loaded?
>>>>
>>>> Thanks,
>>>> Yohai
>>>>
>>>>
>>>
>>>
>>>
>>> —
>>> Questions? First check the IFS FAQ at
>>> https://www.osronline.com/article.cfm?id=17
>>>
>>> You are currently subscribed to ntfsd as: xxxxx@comcast.net
>>> To unsubscribe send a blank email to
xxxxx@lists.osr.com
>>
>>
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@comcast.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

—
Questions? First check the IFS FAQ at https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

–
GCS d+ s: a- c++++ U> B+ L++>$ w++++$ W++(+++) PGP+N+ t PS+PE++ tv+(++) b+++ G+++ e++>(++++) h-- r
Don’t know this? See http://www.geekcode.com/geek.html

Slava sounds like he is right on the money… In this technet video I
watched a while back, if I remember
correctly the dump is written to the page file on crash. When the system
is rebooting, it checks certain regions in
the pagefile too see if a crash dump is present. If so, smss.exe and
winlogon.exe copy the contents from the pagefile
to system32 / memory.dmp location.

IIRC there are special duplicate drivers in memory that handle the dump
write while the system is
going down.

If interested, here’s the link:
http://www.microsoft.com/events/EventDetails.aspx?CMTYSvcSource=MSCOMMedia&Params=~CMTYDataSvcParams^~arg+Name%3D"ID"+Value%3D"1032298076"%2F^~arg+Name%3D"ProviderID"+Value%3D"A6B43178-497C-4225-BA42-DF595171F04C"%2F^~arg+Name%3D"lang"+Value%3D"en"%2F^~arg+Name%3D"cr"+Value%3D"US"%2F^~sParams^~%2FsParams^~%2FCMTYDataSvcParams^

I believe it goes into this matter about 25-30 mins in.

m.

Slava Imameyev wrote:

>How is it possible that in order to dump memory, something is
>written into pagefile, which is memory?
>
>

Page file is not memory. You can consider the physical page frames as a
cache of pages from regular files( i.e. mapped files ) and from the
pagefiles( this memory usually is called anonymous, there are thread stacks
and dynamically allocated memory( including memory for paged kernel mode
code ) ). You may say that the pagefile is the part of the virtual memory,
but actually this is a backing store for anonymous pages.

>The scheme I had in mind - obviously, a wrong one - was:
>
>

The scheme that I have in mind - the system writes physical page frames to
the pagefile and rewrites on the next start to the memory.dmp file.

>Page file is not memory.

You may say that the pagefile is the part of the virtual memory,
That’s exactly what I meant.
The point was that pagefile contains memory pages’ contents,
and I do not expect this contents to be overwritten.
Maybe the link Matt gave will clarify things.

If interested, here’s the link:
Interested, thanks.
Oh, it’s Mark! I am listening…

----- Original Message -----
From: “MM”
To: “Windows File Systems Devs Interest List”
Sent: Monday, November 06, 2006 10:50 AM
Subject: Re: [ntfsd] Re:Re:Disk writes

> Slava sounds like h> the pagefile too see if a crash dump is present. If
> so, smss.exe and winlogon.exe copy the contents from the pagefile
> to system32 / memory.dmp location.
>
> IIRC there are special duplicate drivers in memory that handle the dump
> write while the system is
> going down.
e is right on the money… In this technet video I
> watched a while back, if I remember
> correctly the dump is written to the page file on crash. When the system
> is rebooting, it checks certain regions in
> the pagefile too see if a crash dump is present. If so, smss.exe and
> winlogon.exe copy the contents from the pagefile
> to system32 / memory.dmp location.
>
> IIRC there are special duplicate drivers in memory that handle the dump
> write while the system is
> going down.
>
> If interested, here’s the link:
> http://www.microsoft.com/events/EventDetails.aspx?CMTYSvcSource=MSCOMMedia&amp;Params=~CMTYDataSvcParams^~arg+Name%3D"ID"+Value%3D"1032298076"%2F^~arg+Name%3D"ProviderID"+Value%3D"A6B43178-497C-4225-BA42-DF595171F04C"%2F^~arg+Name%3D"lang"+Value%3D"en"%2F^~arg+Name%3D"cr"+Value%3D"US"%2F^~sParams^~%2FsParams^~%2FCMTYDataSvcParams^
>
> I believe it goes into this matter about 25-30 mins in.
>
> m.
>
> Slava Imameyev wrote:
>
>>>How is it possible that in order to dump memory, something is
>>>written into pagefile, which is memory?
>>>
>>
>>Page file is not memory. You can consider the physical page frames as a
>>cache of pages from regular files( i.e. mapped files ) and from the
>>pagefiles( this memory usually is called anonymous, there are thread
>>stacks and dynamically allocated memory( including memory for paged kernel
>>mode code ) ). You may say that the pagefile is the part of the virtual
>>memory, but actually this is a backing store for anonymous pages.
>>
>>
>>>The scheme I had in mind - obviously, a wrong one - was:
>>>
>>
>>The scheme that I have in mind - the system writes physical page frames to
>>the pagefile and rewrites on the next start to the memory.dmp file.
>>
>>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@comcast.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com

“sh_alex” wrote in message news:xxxxx@ntfsd…
> >Page file is not memory.
>>You may say that the pagefile is the part of the virtual memory,
> That’s exactly what I meant.
> The point was that pagefile contains memory pages’ contents,
> and I do not expect this contents to be overwritten.
> Maybe the link Matt gave will clarify things.
>
And what do you think is in a dump file? Mostly it is memory page
contents, so Microsoft is leveraging the fact that the page file already
has a lot of the data it needs for a dump file. This is an old and well
established concept in operating systems.

–
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
http://www.windrvr.com
Remove StopSpam from the email to reply