file data vs metadata

OSR_Community_User · November 10, 2008, 11:44am

Hi - somewhat new to driver development, and have been trying to find the answer to the following question: which IRPs are intended to modify the data in the file (IRP_MJ_WRITE for instance) versus IRPs that only modify the file system (IRP_MJ_CLEANUP for instance?). That is, are there IRPs that modify headers within a file as a side effect (like a time or date change for creation or update time) or do all data writes flow through the IRP_MJ_WRITE mechanism?

In the future, what would be a good reference to discover this property?

Thanks!

Dave

OSR_Community_User · November 10, 2008, 11:58am

That would be a property of the specific file system and could often be
affected by previous calls into the file system and how it interprets
those calls. For example, if you look at something like NTFS, it opens
its own MFT as a file. Thus, would you consider I/O to that to be
“meta-data” (it is NTFS meta-data) or “data in the file” (which it
certainly is.)

Small streams (where the $DATA attribute is resident) can be stored
directly in the MFT record. Would you consider the writes (which are to
the MFT) to be data (they are file data) or meta-data (they are NTFS
meta-data.)

Do you consider an EA to be meta-data, or “data in the file”? How about
alternate data streams? They ARE meta-data, but they aren’t file system
meta-data (e.g., the Zone_Identifier stream…)

So I’m curious what you’re asking and what the motivation is for asking
it, since that may impact the answer that you get, although I suspect
the answer you get back is going to be “oh, you can’t tell the
difference at that level.” Ergo, the question is not nearly as well
defined as you might believe that it is (or should be.)

Tony
OSR

OSR_Community_User · November 10, 2008, 2:39pm

es, I see your point(s). Perhaps I should try to descope the problem a bit. Let’s consider just NTFS for argument’s sake, and let’s just consider what we may term ‘application’ file as opposed to ‘system’ files. I’m not sure if that distinction makes sense, but I’ll follow the supposition a bit to see where it leads.

If I run a test of creating a document in MS Word, typing in a bit of text to the document and saving it, I get on the order of 367 IRP messages related to that action. Of these, there are two IRP_MJ_WRITE messages processed. When creating an “empty” document, there are essentially the same set of IRPs. When saving an empty document with notepad, there are no WRITE IRPs; they only show up when there’s actual content.

An empty WORD file is 11KB, an empty notepad file is 0KB, so at least that is consistent with observations. I should dump the notepad file with hexedit or something to see if it is really empty.

OSR_Community_User · November 11, 2008, 2:18am

Word has a saving mechanism were it (simplistic version…) writes to a
temproary file, deletes the original then renames the temproary to the
actual file (theres more steps than that which Im sure are in the
archives)
Notepad uses memory mapping so has different behaviour again (look in
the archives again - most of the encryption threads start with an
attempt to use notepad and the associated problems)

How would you differentiate between an ‘application’ file and ‘system’
file in a filter driver?

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@sparta.com
Sent: 10 November 2008 19:38
To: Windows File Systems Devs Interest List
Subject: RE:[ntfsd] file data vs metadata

*** WARNING ***

This mail has originated outside your organization, either from an
external partner or the Global Internet.
Keep this in mind if you answer this message.

es, I see your point(s). Perhaps I should try to descope the problem a
bit. Let’s consider just NTFS for argument’s sake, and let’s just
consider what we may term ‘application’ file as opposed to ‘system’
files. I’m not sure if that distinction makes sense, but I’ll follow the
supposition a bit to see where it leads.

If I run a test of creating a document in MS Word, typing in a bit of
text to the document and saving it, I get on the order of 367 IRP
messages related to that action. Of these, there are two IRP_MJ_WRITE
messages processed. When creating an “empty” document, there are
essentially the same set of IRPs. When saving an empty document with
notepad, there are no WRITE IRPs; they only show up when there’s actual
content.

An empty WORD file is 11KB, an empty notepad file is 0KB, so at least
that is consistent with observations. I should dump the notepad file
with hexedit or something to see if it is really empty.

NTFSD is sponsored by OSR

For our schedule debugging and file system seminars (including our new
fs mini-filter seminar) visit:
http://www.osr.com/seminars

You are currently subscribed to ntfsd as: xxxxx@baesystems.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

********************************************************************
This email and any attachments are confidential to the intended
recipient and may also be privileged. If you are not the intended
recipient please delete it from your system and notify the sender.
You should not copy it or use it for any purpose nor disclose or
distribute its contents to any other person.
********************************************************************