I have File System Filter Driver, which encrypts the data. Everything works fine, but as soon as i dismount the volume or reboot the system some of the data gets corrupted.
I am using “mountvol W: /P” utility to dismount the drive. I do get the dismount IOCTL in my driver and the drive gets dismounted.
But when i mount the drive back, data on the drive is modified, i.e. corrupted. I have break points in the WriteDispatch routine, which don’t get hit at all during dismount. I do not see any write activity in the “FileMon/process monitor” either. But somehow data gets written to the disk.
Does anyone know what is happening here? If FileMon can’t catch this write activity and my driver can not see the write calls, then the only way i think data is being written to the disk is by bypassing the file system. In that case application is directly writing to the disk.
or filemon driver and my driver is removed from the stack before cache was flushed to the disk. I hardly believe that to be true. Because all the driver which perform encryption will break in that scenario.
Any help would be appreciated.
System Configuration:
Windows Server 2008 data center x64
It it during the dismount or the mount that the corruption happens?
Can I set a break point of the write dispatch point of the disk driver
(or is that what you meant below)?
What is the characteristic of the corruption? Is it plaintext getting
into the file? Or is it more complicated?
Can I be sure that the corruption happened during dismount/mount and that
it wasn’t there for some time and the cache had hidden it?
If it’s a Minifilter, can I detach the instance and then dismount?
I could certainly imagine that (for instance) NTFS might do a repair job on
it’ (meta)datastructures during mount, but that wouldn’t corrupt contents.
I guess too that it might want to reply outstanding writes (but I would
emphasize that I don’t know this), but you will only be giving encrypted
data to NTFS, right?
Rod
wrote in message news:xxxxx@ntfsd… > All, > > I have File System Filter Driver, which encrypts the data. Everything > works fine, but as soon as i dismount the volume or reboot the system some > of the data gets corrupted. > > I am using “mountvol W: /P” utility to dismount the drive. I do get the > dismount IOCTL in my driver and the drive gets dismounted. > > But when i mount the drive back, data on the drive is modified, i.e. > corrupted. I have break points in the WriteDispatch routine, which don’t > get hit at all during dismount. I do not see any write activity in the > “FileMon/process monitor” either. But somehow data gets written to the > disk. > > Does anyone know what is happening here? If FileMon can’t catch this write > activity and my driver can not see the write calls, then the only way i > think data is being written to the disk is by bypassing the file system. > In that case application is directly writing to the disk. > > or filemon driver and my driver is removed from the stack before cache was > flushed to the disk. I hardly believe that to be true. Because all the > driver which perform encryption will break in that scenario. > > Any help would be appreciated. > > System Configuration: > Windows Server 2008 data center x64 > > thanks > Rajesh >
I have File System Filter Driver, which encrypts the data. Everything works fine, but as soon as i dismount the volume or reboot the system some of the data gets corrupted.
I am using “mountvol W: /P” utility to dismount the drive. I do get the dismount IOCTL in my driver and the drive gets dismounted.
But when i mount the drive back, data on the drive is modified, i.e. corrupted. I have break points in the WriteDispatch routine, which don’t get hit at all during dismount. I do not see any write activity in the “FileMon/process monitor” either. But somehow data gets written to the disk.
Does anyone know what is happening here? If FileMon can’t catch this write activity and my driver can not see the write calls, then the only way i think data is being written to the disk is by bypassing the file system. In that case application is directly writing to the disk.
or filemon driver and my driver is removed from the stack before cache was flushed to the disk. I hardly believe that to be true. Because all the driver which perform encryption will break in that scenario.
Per Rod’s comment, I would be thinking along the lines that the
corruption has already occurred but the cached data masked the
corruption. You should be seeing all writes to the volume prior to dismount.
Pete
–
Kernel Drivers
Windows File System and Device Driver Consulting www.KernelDrivers.com
866.263.9295
Interesting this is that it doesn’t happen on Windows server 2003 x64 system. It happens only on 2008.
To answer the Rod’s question.
It it during the dismount or the mount that the corruption happens?
Rajesh: It happens during dismount. I dismounted the volume and then booted the system with another OS. Data was corrupted. So application which was writing data is not touching the data during mount. I guess, cache will be flushed during dismount not mount.
Can I set a break point of the write dispatch point of the disk driver (or is that what you meant below)?
Rajesh: This is what i will try to do next. Attach a storeport driver and see. I would like to see who is trying to write the data to disk.
What is the characteristic of the corruption? Is it plaintext getting into the file? Or is it more complicated?
Rajesh: its little complicated. I didn’t see any plaintext.
Can I be sure that the corruption happened during dismount/mount and that it wasn’t there for some time and the cache had hidden it? - If it’s a Minifilter, can I detach the instance and then dismount?
Rajesh: its not a minifilter driver. I was checking the file regularly. Just before dismount i checked the file and everything was fine. Application was running fine and not complaining about the data. Application is DB2, so if it will see any corruption in cache or file it will know immediately. I added the break points in my driver and started filemon and performed the dismount. Neither Filemon saw any activity and nor the break points in my driver got hit. I mounted the driver back, again filemon didn’t see any activity and not the break points in my driver got hit.
“Per Rod’s comment, I would be thinking along the lines that the corruption has already occurred but the cached data masked the corruption. You should be seeing all writes to the volume prior to dismount.”
Pete,
I was monitoring the file all the time. Just before the dismount, i started filemon, put break points in my driver and copied the file (took backup). I made sure no application is using the files/no handle is open before taking the backup. Then i performed the dismount.
My driver didn’t see any activity neither did filemon. When i mounted the volume back, the data was corrupted and DB2 was complaining about the data. I replaced the corrupted filed with backup files and everything was fine. DB2 was not complaining at all. As filemon didn’t see any activity and my break points didn’t get hit then who touched the file?
“Per Rod’s comment, I would be thinking along the lines that the corruption has already occurred but the cached data masked the corruption. You should be seeing all writes to the volume prior to dismount.”
Pete,
I was monitoring the file all the time. Just before the dismount, i started filemon, put break points in my driver and copied the file (took backup). I made sure no application is using the files/no handle is open before taking the backup. Then i performed the dismount.
My driver didn’t see any activity neither did filemon. When i mounted the volume back, the data was corrupted and DB2 was complaining about the data. I replaced the corrupted filed with backup files and everything was fine. DB2 was not complaining at all. As filemon didn’t see any activity and my break points didn’t get hit then who touched the file?
Even in your description, if the data is fine in the system cache but
corrupted on disk, then you wouldn’t see the corruption until the system
cache was flushed or the volume dismounted/mounted. One thing you can do
is to write an application which will grab the file before you dismount
using non-cached IO, thus by-passing the system cache. If the file you
retrieve as your backup using this application is corrupt then you know
the corruption occurred in the ‘past’.
Pete
–
Kernel Drivers
Windows File System and Device Driver Consulting www.KernelDrivers.com
866.263.9295
> Is there any utility which can dump all the cache?
FSCTL_LOCK_VOLUME
The normal dismount sequence is:
FSCTL_LOCK_VOLUME
FSCTL_DISMOUNT_VOLUME
close the handle
This is what “chkdsk /f” does. Sometimes, lock fails, and chkdsk asks the user to perform forced dismount - namely DISMOUNT without the preceding LOCK. In this case, the app’s file objects are terminated abruptly, so, this is a bit dangerous.
During write, DB2 is trying to write 36 bytes. On 2008 FileSize and ValidDataLength is not set in the FCB when i received the PAGING IO. Because of this i try to encrypt the whole page, though the valid data is only 36 bytes.
During read, DB2 read the 36 Bytes and i do get FileSize, ValidDataLength in the FCB during PAGING IO read. Hence the encryption and decryption goes bad.
On 2003, i do receive FileSize in the FCB during PAGING IO WRITE. So i am not sure how and when system sets the files size in the FCB on 2008.