_file_object->SectionObjectPointers always null?

OSR_Community_User · July 12, 2008, 12:36pm

Here’s some debugger output

lkd> !handle 0 1 86460020 File
processor number 0, process 86460020
Searching for handles of type File
PROCESS 86460020 SessionId: 0 Cid: 0b0c Peb: 7ffd7000 ParentCid: 01a4
DirBase: 0a900580 ObjectTable: e4b7d358 HandleCount: 591.
Image: devenv.exe
Handle table at e5ddb000 with 591 Entries in use
000c: Object: 8712d8b0 GrantedAccess: 00100020 (Inherit)
0010: Object: 88e11288 GrantedAccess: 00100020
004c: Object: 884c5028 GrantedAccess: 00100001
0054: Object: 860fa3c0 GrantedAccess: 00100020

…

lkd> dt nt!_file_object 8712d8b0
+0x000 Type : 5
+0x002 Size : 112
+0x004 DeviceObject : 0x8a30cc98 _DEVICE_OBJECT
+0x008 Vpb : 0x8a34f320 _VPB
+0x00c FsContext : 0xe46d90d0
+0x010 FsContext2 : 0xe46d9268
+0x014 SectionObjectPointer : (null)
+0x018 PrivateCacheMap : (null)
+0x01c FinalStatus : 0
+0x020 RelatedFileObject : (null)
+0x024 LockOperation : 0 ‘’
+0x025 DeletePending : 0 ‘’
+0x026 ReadAccess : 0x1 ‘’
+0x027 WriteAccess : 0 ‘’
+0x028 DeleteAccess : 0 ‘’
+0x029 SharedRead : 0x1 ‘’
+0x02a SharedWrite : 0x1 ‘’
+0x02b SharedDelete : 0 ‘’
+0x02c Flags : 0x40002
+0x030 FileName : _UNICODE_STRING “\Program Files\Microsoft Visual Studio 8\Common7\IDE”
+0x038 CurrentByteOffset : _LARGE_INTEGER 0x0
+0x040 Waiters : 0
+0x044 Busy : 0
+0x048 LastLock : (null)
+0x04c Lock : _KEVENT
+0x05c Event : _KEVENT
+0x06c CompletionContext : (null)
Notice SectionObjectPointers is null. This happens on every single file I try to view. Why is this?

OSR_Community_User · July 12, 2008, 2:08pm

Hello Zach

I believe that field is meant only for Memory Mapped Files. I ran the same
command for a Mapped Registry hive and the SectionObjectPointer field was
populated for that one.

kd> !handle 0 f File

0154: Object: e1303968 GrantedAccess: 0002001f Entry: e10022a8
Object: e1303968 Type: (81fa0558) Key
ObjectHeader: e1303950 (old version)
HandleCount: 1 PointerCount: 1
Directory Object: 00000000 Name:
\REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\VIDEO{4323FD22-BCC2-4F86-A974-1AA92F12ACFF}\0000\VOLATILESETTINGS

kd> dt nt!_FILE_OBJECT e1303968
+0x000 Type : 12338
+0x002 Size : 27513
+0x004 DeviceObject : 0xe13ecea8 _DEVICE_OBJECT
+0x008 Vpb : (null)
+0x00c FsContext : 0x00000004
+0x010 FsContext2 : (null)
* +0x014 SectionObjectPointer : 0x0079006c _SECTION_OBJECT_POINTERS*
+0x018 PrivateCacheMap : 0x00360020
+0x01c FinalStatus : 5046304
+0x020 RelatedFileObject : 0x0064006f _FILE_OBJECT
+0x024 LockOperation : 0x65 ‘e’
+0x025 DeletePending : 0 ‘’
+0x026 ReadAccess : 0x6c ‘l’
+0x027 WriteAccess : 0 ‘’
+0x028 DeleteAccess : 0x20 ’ '
+0x029 SharedRead : 0 ‘’
+0x02a SharedWrite : 0x31 ‘1’
+0x02b SharedDelete : 0 ‘’
+0x02c Flags : 0x200034
+0x030 FileName : _UNICODE_STRING “— memory read error at
address 0x00700065 —”
+0x038 CurrentByteOffset : _LARGE_INTEGER 0xe13039a4`00690070
+0x040 Waiters : 0xe13039a4
+0x044 Busy : 0x180000
+0x048 LastLock : 0x0001040f
+0x04c Lock : _KEVENT
+0x05c Event : _KEVENT
+0x06c CompletionContext : (null)

On Sat, Jul 12, 2008 at 10:05 PM, Zach Turner
wrote:

> Here’s some debugger output
>
> lkd> !handle 0 1 86460020 File
> processor number 0, process 86460020
> Searching for handles of type File
> PROCESS 86460020 SessionId: 0 Cid: 0b0c Peb: 7ffd7000 ParentCid: 01a4
> DirBase: 0a900580 ObjectTable: e4b7d358 HandleCount: 591.
> Image: devenv.exe
> Handle table at e5ddb000 with 591 Entries in use
> 000c: Object: 8712d8b0 GrantedAccess: 00100020 (Inherit)
> 0010: Object: 88e11288 GrantedAccess: 00100020
> 004c: Object: 884c5028 GrantedAccess: 00100001
> 0054: Object: 860fa3c0 GrantedAccess: 00100020
>
> …
>
> lkd> dt nt!_file_object 8712d8b0
> +0x000 Type : 5
> +0x002 Size : 112
> +0x004 DeviceObject : 0x8a30cc98 _DEVICE_OBJECT
> +0x008 Vpb : 0x8a34f320 _VPB
> +0x00c FsContext : 0xe46d90d0
> +0x010 FsContext2 : 0xe46d9268
> +0x014 SectionObjectPointer : (null)
> +0x018 PrivateCacheMap : (null)
> +0x01c FinalStatus : 0
> +0x020 RelatedFileObject : (null)
> +0x024 LockOperation : 0 ‘’
> +0x025 DeletePending : 0 ‘’
> +0x026 ReadAccess : 0x1 ‘’
> +0x027 WriteAccess : 0 ‘’
> +0x028 DeleteAccess : 0 ‘’
> +0x029 SharedRead : 0x1 ‘’
> +0x02a SharedWrite : 0x1 ‘’
> +0x02b SharedDelete : 0 ‘’
> +0x02c Flags : 0x40002
> +0x030 FileName : _UNICODE_STRING “\Program Files\Microsoft
> Visual Studio 8\Common7\IDE”
> +0x038 CurrentByteOffset : _LARGE_INTEGER 0x0
> +0x040 Waiters : 0
> +0x044 Busy : 0
> +0x048 LastLock : (null)
> +0x04c Lock : _KEVENT
> +0x05c Event : _KEVENT
> +0x06c CompletionContext : (null)
> Notice SectionObjectPointers is null. This happens on every single file I
> try to view. Why is this?
>
> —
> You are currently subscribed to windbg as: unknown lmsubst tag argument: ‘’
>
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

–
Thanks & Regards
Pushkar Prasad
http://www.eccellente-it.com

“A positive attitude may not solve all your problems, but it will annoy
enough people to make it worth the effort.” -Herm Albright