How can I flush cache entirely

OSR_Community_User · January 19, 2008, 9:27am

I’m developing a encryption/decryption filter driver. Inorder to clear the cache after close a file handle. I reopen this file with no buffering mode and flush the buffer in an user mode application,

HANDLE hFile = CreateFile(File,
GENERIC_WRITE, 0,
NULL,
OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL|FILE_FLAG_NO_BUFFERING,
NULL);

FlushFileBuffers(hFile);
…

It works fine in usual, except that with anti virus software, such as Norton.
It seems that AV software have his own cache. Any help is appreciated.

OSR_Community_User · January 19, 2008, 10:00am

Prediction - there is already more than one response inbound to your query
telling you
to reboot the system…

You can’t guarantee the cache will ever be flushed fully. This is a lost
cause. Even with a reboot, I’m sure data would still be present on disk
(page file).

If security is absolute with your customers, I’d suggest MP’s with mini’s.

Regards,

Matt

----- Original Message -----
From:
To: “Windows File Systems Devs Interest List”
Sent: Saturday, January 19, 2008 8:28 AM
Subject: [ntfsd] How can I flush cache entirely

> I’m developing a encryption/decryption filter driver. Inorder to clear the
> cache after close a file handle. I reopen this file with no buffering mode
> and flush the buffer in an user mode application,
>
> HANDLE hFile = CreateFile(File,
> GENERIC_WRITE, 0,
> NULL,
> OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL|FILE_FLAG_NO_BUFFERING,
> NULL);
>
> FlushFileBuffers(hFile);
> …
>
> It works fine in usual, except that with anti virus software, such as
> Norton.
> It seems that AV software have his own cache. Any help is appreciated.
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> You are currently subscribed to ntfsd as: matt-martin@tx.rr.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

OSR_Community_User · January 19, 2008, 1:20pm

> Prediction - there is already more than one response inbound to your query

telling you
to reboot the system…

Remount is the solution, but remount of SystemRoot and of some other volumes
(any one with a pagefile, for instance) means reboot.

–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

OSR_Community_User · January 19, 2008, 2:01pm

Which leads to the question of why would anyone want to encrypt the system’s
partition? I know of one company that decided this would be a good idea on
all systems (workstations, webservers, ect.) - however in a short time they
learned a hard lesson; against all advice ‘recovery console’ and other tools
wouldn’t work.

In an enviroment with near a hundred thousand machines… this turned
laughable! Management’s great idea of everything would be secure if
everything was encrpted turned to crap in two weeks.

Funny,

Matt

----- Original Message -----
From: “Maxim S. Shatskih”
Newsgroups: ntfsd
To: “Windows File Systems Devs Interest List”
Sent: Saturday, January 19, 2008 12:20 PM
Subject: Re:[ntfsd] How can I flush cache entirely

>> Prediction - there is already more than one response inbound to your
>> query
>> telling you
>> to reboot the system…
>
> Remount is the solution, but remount of SystemRoot and of some other
> volumes
> (any one with a pagefile, for instance) means reboot.
>
> –
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> You are currently subscribed to ntfsd as: matt-martin@tx.rr.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

OSR_Community_User · January 19, 2008, 4:45pm

In some cases, particularly notebooks, companies are getting their
lights put out because of unencrypted volumes that have 3 social
security numbers or the like on them. I don’t know if this is why this
dev is doing this, but some places this is just the way it is. It’s
extremely silly, but it beats getting sued, and in the case of
notebooks, it is very unwise to trust in places where it matters that
people won’t put what they aren’t supposed to put on one. That being
said, doing it in house, unless you are among a very select few, is not
a very good idea.

mm

Matthew Martin wrote:

Which leads to the question of why would anyone want to encrypt the
system’s partition? I know of one company that decided this would be a
good idea on all systems (workstations, webservers, ect.) - however in a
short time they learned a hard lesson; against all advice ‘recovery
console’ and other tools wouldn’t work.

In an enviroment with near a hundred thousand machines… this turned
laughable! Management’s great idea of everything would be secure if
everything was encrpted turned to crap in two weeks.

Funny,

Matt

----- Original Message ----- From: “Maxim S. Shatskih”

> Newsgroups: ntfsd
> To: “Windows File Systems Devs Interest List”
> Sent: Saturday, January 19, 2008 12:20 PM
> Subject: Re:[ntfsd] How can I flush cache entirely
>
>
>>> Prediction - there is already more than one response inbound to your
>>> query
>>> telling you
>>> to reboot the system…
>>
>> Remount is the solution, but remount of SystemRoot and of some other
>> volumes
>> (any one with a pagefile, for instance) means reboot.
>>
>> –
>> Maxim Shatskih, Windows DDK MVP
>> StorageCraft Corporation
>> xxxxx@storagecraft.com
>> http://www.storagecraft.com
>>
>>
>> —
>> NTFSD is sponsored by OSR
>>
>> For our schedule debugging and file system seminars
>> (including our new fs mini-filter seminar) visit:
>> http://www.osr.com/seminars
>>
>> You are currently subscribed to ntfsd as: matt-martin@tx.rr.com
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>
>

OSR_Community_User · January 21, 2008, 6:45pm

Martin O’Brien wrote:

In some cases, particularly notebooks, companies are getting their
lights put out because of unencrypted volumes that have 3 social
security numbers or the like on them. I don’t know if this is why this

Well a company that lets a laptop out of the building with sensitive
data on it probably deserves it (it’s not like VPNs are unusual
technology, and certificates and be revoked in a second. Not trusting
people is what automatic dismissal policies are for… they won’t do it
twice…).

When the ‘company’ is the ministry of defence (as in the news *again*
today) I think we’re fighting a losing battle though.

Tony

Slava_Imameyev · January 22, 2008, 7:26am

>I’m sure data would still be present on disk

Pages for cached and mapped files are never written to page file - this is
impossible, because such pages are backed( through a segment object ) by a
file which is cached but not a pagefile.

–
Slava Imameyev, xxxxx@hotmail.com

“Matthew Martin” wrote in message
news:xxxxx@ntfsd…
> Prediction - there is already more than one response inbound to your query
> telling you
> to reboot the system…
>
> You can’t guarantee the cache will ever be flushed fully. This is a lost
> cause. Even with a reboot, I’m sure data would still be present on disk
> (page file).
>
> If security is absolute with your customers, I’d suggest MP’s with mini’s.
>
> Regards,
>
> Matt
>
>
> ----- Original Message -----
> From:
> To: “Windows File Systems Devs Interest List”
> Sent: Saturday, January 19, 2008 8:28 AM
> Subject: [ntfsd] How can I flush cache entirely
>
>
>> I’m developing a encryption/decryption filter driver. Inorder to clear
>> the cache after close a file handle. I reopen this file with no buffering
>> mode and flush the buffer in an user mode application,
>>
>> HANDLE hFile = CreateFile(File,
>> GENERIC_WRITE, 0,
>> NULL,
>> OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL|FILE_FLAG_NO_BUFFERING,
>> NULL);
>>
>> FlushFileBuffers(hFile);
>> …
>>
>> It works fine in usual, except that with anti virus software, such as
>> Norton.
>> It seems that AV software have his own cache. Any help is appreciated.
>>
>> —
>> NTFSD is sponsored by OSR
>>
>> For our schedule debugging and file system seminars
>> (including our new fs mini-filter seminar) visit:
>> http://www.osr.com/seminars
>>
>> You are currently subscribed to ntfsd as: matt-martin@tx.rr.com
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>>
>
>

Slava_Imameyev · January 22, 2008, 7:35am

> Inorder to clear the cache after close a file handle

…
It works fine in usual, except that with anti virus software, such as
Norton.
It seems that AV software have his own cache. Any help is appreciated.

When you flush the cached data you validate data on disk, but in many cases
this doesn’t purge physical pages( or page frames ) which have been used to
cache the file and if there is an application which maps the file then it
shares these pages with the cache - you can’t purge this pages.

–
Slava Imameyev, xxxxx@hotmail.com

wrote in message news:xxxxx@ntfsd…
> I’m developing a encryption/decryption filter driver. Inorder to clear the
> cache after close a file handle. I reopen this file with no buffering mode
> and flush the buffer in an user mode application,
>
> HANDLE hFile = CreateFile(File,
> GENERIC_WRITE, 0,
> NULL,
> OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL|FILE_FLAG_NO_BUFFERING,
> NULL);
>
> FlushFileBuffers(hFile);
> …
>
> It works fine in usual, except that with anti virus software, such as
> Norton.
> It seems that AV software have his own cache. Any help is appreciated.
>