Hi Valery,
Legal method? We did everything with filter drivers. The one good
thing is that NTFS zeros the data synchronously, so we knew when we were
extending the size of the file to watch for writes of zero sectors out
the other edge of NTFS and “eliminate” them (since the client was going
to write the data to those locations in any case). Our goal (in this
case) was to speed up the allocation so we could get the block location
map back to the client, so they could write the data directly to the
shared disk.
If you have a 1GB allocation already, and you overwrite the 1GB of data
then NTFS is not going to change that allocation (there’s no requirement
that they not change it, of course, but we can rely upon the inherent
desire of file systems to provide reasonable performance, which clearly
rules out freeing and re-allocation space gratuitously.) But if you
truncate the file and then start writing 1GB of data, there is no
guarantee you will end up with the same space allocation.
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Valery Boronin
Sent: Monday, May 17, 2004 10:43 PM
To: ntfsd redirect
Subject: RE: [ntfsd] does NTFS zeroing deleted files on disk?
Tony, many thanks, it’s really helpful!
I’m curious here only about
by obtaining location information from the server. One of the
optimizations we applied was to eliminate the zero-filling that NTFS
injects during file extension.)
is there any legal methods to do it? Or some hooking/patching technique
should be used for such kind of tasks?
Last Q: during rolling my own write Irps to overwrite file content, is
there guarantee that I’ll overwrite exactly disk sectors, occupied by
the file, another words, no remapping will occur if I’ll start rewriting
1Gb video from the zero offset on deletion?
Valery Boronin,
Plesk for Windows Engineer,
SWsoft, Inc.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tony Mason
Sent: Monday, May 17, 2004 7:49 PM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] does NTFS zeroing deleted files on disk?
No. NTFS zeros the file on allocation, not on free. There is no C2
requirement to zero data (and indeed, if the OS crashes immediately
after an allocation but before the data is zeroed, that’s considered
acceptable as well - recovery of this type is not required until B3.)
We determined this behavior years ago when we were building
direct-to-disk SAN file system (NTFS on the server, RDR on the client,
shared media disk. We’d do direct retrieval of data from the disk by
obtaining location information from the server. One of the
optimizations we applied was to eliminate the zero-filling that NTFS
injects during file extension.)
I’m not sure what it does to the NTFS on disk structure when deleting,
that level of detail isn’t something I’ve ever studied.
Of course, the scenario you described is not the typical “deletion”
scenario. When you delete via Explorer it just does a rename into the
recycle bin. Your description (a file truncation) would return the
blocks back to the available pool of blocks and since the information
about those blocks being free is in memory, they are hot targets for
file extension. In other words, if you free the allocation from one
1GB file and then extend a different file, there’s a good probability
those blocks will be reused.
The only other thing I can think of to delete data would be
FSCTL_SET_ZERO_DATA. Some things implicitly force data deletion
(changing the compression attribute of the file, for instance).
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources Inc
http://www.osr.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Valery Boronin
Sent: Monday, May 17, 2004 8:32 AM
To: ntfsd redirect
Subject: RE: [ntfsd] does NTFS zeroing deleted files on disk?
Hi all
sorry if my Q is not very interesting for experts, but I’m still
waiting for at least short answer or direction where to look 
also, I forget to ask what’s happens during deleting file in the NTFS
(not only on disk):
changes in the MFT, in the journaling structures, etc?
where information about file being delete could be present in the NTFS
structures ($LogFile, etc)?
and to make previous question more clother to this mailing list
profile, what about following scenario:
- there is a 1Gb file on the disk
- open + set eof to 0 + close (not delete)
- stop writing to the disk to prevent lost of file content what’s on
disk?
in case of FAT and in case of NTFS, if any difference
another words, if someone just truncate the file, does NTFS (or even
all
FSD) zeroing affected file’s part?
I know about following locations where file could be truncated or
deleted
- IRP_MJ_CREATE
- FILE_DELETE_ON_CLOSE
- FILE_OVERWRITTEN
- FILE_SUPERSEDED
- IRP_MJ_SET_INFORMATION
- FILE_DISPOSITION_INFORMATION
- FILE_END_OF_FILE_INFORMATION
- FILE_ALLOCATION_INFORMATION
- IRP_MJ_CLEANUP
- DeleteFile flag is set, we can do erasing here, of course, if it’s
last reference to file
is there any other possibility I’m not enumerated?
so, in the each above case I think that rolling my own IRP_MJ_WRITE
Irps from the VDL to the EOF will destroy file content on disk.
of course in case of IRP_MJ_CREATE I have to do everything carefully
before the FSD do overwriting / superseding.
may be it’s not the best way for the file filter to be sure that after
file is deleted, on disk it’s content is erased?
any other solutions/ideas?
Valery Boronin,
Plesk for Windows Engineer,
SWsoft, Inc.
> -----Original Message-----
> From: xxxxx@lists.osr.com
> [mailto:xxxxx@lists.osr.com] On Behalf Of
Valery Boronin
> Sent: Saturday, May 15, 2004 4:08 PM
> To: Windows File Systems Devs Interest List
> Subject: [ntfsd] does NTFS zeroing deleted files on disk?
>
> Hi all!
>
> Platform SDK: Security
> C2-level Security
>
> states:
> —
> Memory must be protected so that its contents cannot be
read after a
> process frees it. Similarly, a secure file system, such as
NTFS, must
> protect deleted files from being read.
> —
> So, question is very simple:
> when file deletion on NTFS occurs, does it means that
sectors on disk,
> occupied by file being deleted, will zeroed / wiped?
> May be it’s configurable?
>
> I know about that OS guarantee returning zeros to the
requests outside
> high-water mark (VDL) for files, but what’s about disk level?
>
> I have feeling that answer is no
> - because of erase on delete could degrade perfomance (think about
> temporary files creation/deletion, etc)
> - because of presence of many undelete / recover software on the
> market 
>
> But how in this case w2k/ntfs was certified to the C2-level?
> or rebooting to the alternate / second OS and analyzing
disks to get
> deleted files contents is OK?
>
> so, I would like to know what’s exactly happens on disk
just after IO
> Man / FS filter driver pass file delete request to the NTFS FSD.
>
> and last, is there any difference in the behaviour for the
NT4/2000+
> OSes?
>
> Valery Boronin,
> Plesk for Windows Engineer,
> SWsoft, Inc.
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@plesk.ru To
> unsubscribe send a blank email to xxxxx@lists.osr.com
>
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@osr.com To unsubscribe
send a blank email to xxxxx@lists.osr.com
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@plesk.ru To
unsubscribe send a blank email to xxxxx@lists.osr.com
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@osr.com To unsubscribe
send a blank email to xxxxx@lists.osr.com