Hello,
I want to catch disk I/O when system is crashing(BSOD).
AFAIK,this is undocumented territory.when system is crashing,it uses another driver stack,and a copy of miniport driver to perform disk I/O.If I am not right,correct me .
In my Windows XP SP2 ,System use a copy of miniport driver atapi.sys
prefix with dump_ and related driver to perform disk I/0 when BSOD .
So my problem is how to filter disk I/O when BSOD, Does there have
any other device stack for my filter driver to filter disk I/O ? If has, can I insert my filter driver to this stack ? If else,What and How can I do ?
The dump stack is not a pnp stack. That means there is no formal filtering model, nor a model really where you can insert yourself cleanly. What do you want to do with such a filter?
d
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@live.com
Sent: Monday, June 30, 2008 7:23 PM
To: Windows System Software Devs Interest List
Subject: [ntdev] How to filter disk IO when system is crashing ?
Hello,
I want to catch disk I/O when system is crashing(BSOD).
AFAIK,this is undocumented territory.when system is crashing,it uses another driver stack,and a copy of miniport driver to perform disk I/O.If I am not right,correct me .
In my Windows XP SP2 ,System use a copy of miniport driver atapi.sys
prefix with dump_ and related driver to perform disk I/0 when BSOD .
So my problem is how to filter disk I/O when BSOD, Does there have
any other device stack for my filter driver to filter disk I/O ? If has, can I insert my filter driver to this stack ? If else,What and How can I do ?
Hello ,Doron Holan:
AFAIK,when system is crashing ,if it’s configured, system will write dump file in pagefile.sys.
When system reboots, system will generate dump file use information from pagefile.sys.
I want to redirect write operation from one sector to another .
As far as I know, the only way to do this is to have your driver be the dump
driver. (Note that vista actually supports dump stack filter drivers, but
this support is undocumented and irrelevant to XP which does not support
this feature.) In your case you would have to be atapi.sys. This does not
seem like a great idea for a real product. As usually happens here, you have
asked us how to implement some truly odd solution to an unstated problem, in
your case with the only hint being ‘I need to change the lbas’. Perhaps you
might want to elaborate on why you think you need to change the sector
addresses of the page file as it is being written out when the system
crashes.
On Tue, Jul 1, 2008 at 12:05 AM, wrote:
> Hello ,Doron Holan: > AFAIK,when system is crashing ,if it’s configured, system will write dump > file in pagefile.sys. > When system reboots, system will generate dump file use information from > pagefile.sys. > > I want to redirect write operation from one sector to another . > > — > NTDEV is sponsored by OSR > > For our schedule of WDF, WDM, debugging and other seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at > http://www.osronline.com/page.cfm?name=ListServer >
No documented ways, but I saw some open-source code (disk encryption?
forgot this) which uses the Load Image callbacks to catch the dump instance
load of the ATAPI and then hooks some function pointers in it.
wrote in message news:xxxxx@ntdev… > Hello, > I want to catch disk I/O when system is crashing(BSOD). > > AFAIK,this is undocumented territory.when system is crashing,it uses another driver stack,and a copy of miniport driver to perform disk I/O.If I am not right,correct me . > > In my Windows XP SP2 ,System use a copy of miniport driver atapi.sys > prefix with dump_ and related driver to perform disk I/0 when BSOD . > > So my problem is how to filter disk I/O when BSOD, Does there have > any other device stack for my filter driver to filter disk I/O ? If has, can I insert my filter driver to this stack ? If else,What and How can I do ? > > >
‘KeDumpCheckIoCallback’ sounds like it might do what you want, though it reads like it would only allow you to make a copy of the
dump file, not relocate the original, if that’s what you wish. Also, running at IRQL == HIGH_LEVEL would certainly limit your options.
That being said, Mark knows a whole lot more about this than I do, so I suspect I’m missing something.
Hello,
I want to catch disk I/O when system is crashing(BSOD).
AFAIK,this is undocumented territory.when system is crashing,it uses another driver stack,and a copy of miniport driver to perform disk I/O.If I am not right,correct me .
In my Windows XP SP2 ,System use a copy of miniport driver atapi.sys
prefix with dump_ and related driver to perform disk I/0 when BSOD .
So my problem is how to filter disk I/O when BSOD, Does there have
any other device stack for my filter driver to filter disk I/O ? If has, can I insert my filter driver to this stack ? If else,What and How can I do ?
Max is right. This is the way I did in my driver. And it run very well on
both XP and Vista
On Tue, Jul 1, 2008 at 2:44 PM, Maxim S. Shatskih wrote:
> No documented ways, but I saw some open-source code (disk encryption? > forgot this) which uses the Load Image callbacks to catch the dump instance > load of the ATAPI and then hooks some function pointers in it. > > – > Maxim Shatskih, Windows DDK MVP > StorageCraft Corporation > xxxxx@storagecraft.com > http://www.storagecraft.com > > wrote in message news:xxxxx@ntdev… > > Hello, > > I want to catch disk I/O when system is crashing(BSOD). > > > > AFAIK,this is undocumented territory.when system is crashing,it uses > another > driver stack,and a copy of miniport driver to perform disk I/O.If I am not > right,correct me . > > > > In my Windows XP SP2 ,System use a copy of miniport driver atapi.sys > > prefix with dump_ and related driver to perform disk I/0 when BSOD . > > > > So my problem is how to filter disk I/O when BSOD, Does there have > > any other device stack for my filter driver to filter disk I/O ? If > has, > can I insert my filter driver to this stack ? If else,What and How can I do > ? > > > > > > > > > — > NTDEV is sponsored by OSR > > For our schedule of WDF, WDM, debugging and other seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at > http://www.osronline.com/page.cfm?name=ListServer >