I lock a volume through FSCTL_LOCK_VOLUME IoControl. sometimes it is failed since there are some open files on it.
I want to know who opened the files on this volume.
windbg and handle from sysinternals should tell you which file is open
i plugged in a usb massstorage device and did
!driveinfo g:
!devobj (you will get a ref count it was 11
for me when no files were open)
!vpb on again ref count was 11
now opened a cmd prompt cd g: created a dir and created a text file
in that directory and opened it in edit.com
came back to lkd
did a !devobj and !vpb (ref count increased by 1)
and used sysinternals handle -a from windbg
an output below
lkd> !driveinfo g:
Drive g:, DriveObject e15d7460
Directory Object: e10054f8 Name: G:
Target String is ‘\Device\Harddisk2\DP(1)0-0+c’
Drive Letter Index is 7 (G:)
Volume DevObj: 86bca4a0
Vpb: 85c27828 DeviceObject: 863e9020
FileSystem: \FileSystem\Ntfs
Cannot get ntfs!VOLUME_DEVICE_OBJECT.Vcb @ 863e9020
lkd> !devobj 86bca4a0
Device object (86bca4a0) is for:
DP(1)0-0+c \Driver\Disk DriverObject 86d5e690
Current Irp 00000000 RefCount 12 Type 00000007 Flags 00003050
Vpb 85c27828 Dacl e10221c4 DevExt 86bca558 DevObjExt 86bca808 Dope
86cb75a0 DevNode 8640e220
ExtensionFlags (0000000000)
Device queue is not busy.
lkd> !vpb 85c27828
Vpb at 0x85c27828
Flags: 0x1 mounted
DeviceObject: 0x863e9020
RealDevice: 0x86bca4a0
RefCount: 12
Volume Label:
lkd> .shell F:\SysinternalsSuite\handle -a harddisk2
<.shell waiting 1 second(s) for process>
Handle v3.41
Copyright (C) 1997-2008 Mark Russinovich
Sysinternals - www.sysinternals.com
System pid: 4 272C: \Device\Harddisk2
cmd.exe pid: 188 C:
\Device\Harddisk2\DP(1)0-0+c\checkfsctlforbillywu
ntvdm.exe pid: 3876 D8: \Device\Harddisk2\DP(1)0-0+c\CHECKF~1
.shell: Process exited
Press ENTER to continue
also trying to populate the volumeinfo using dmadmin gives an
access_denied in procmon output
Date & Time: 16/05/2012 19:13:55
Event Class: File System
Operation: IRP_MJ_FILE_SYSTEM_CONTROL
Result: ACCESS DENIED
Path: G:
TID: 3232
Duration: 0.0093915
Control: FSCTL_LOCK_VOLUME
see if that helps
On 5/16/12, xxxxx@gmail.com wrote:
> I lock a volume through FSCTL_LOCK_VOLUME IoControl. sometimes it is failed
> since there are some open files on it.
> I want to know who opened the files on this volume.
>
>
> —
> WINDBG is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
btw if someone from ms is reading this
this !driveinfo extension cant get the typeinfo for _VCB
FileSystem: \FileSystem\Ntfs
Cannot get ntfs!VOLUME_DEVICE_OBJECT.Vcb @ 863e9020
lkd> !devobj 86bca4a0
though it seems to exist
lkd> dt Ntfs!_VOLUME_DEVICE_OBJECT vcb.
+0x0cc Vcb :
+0x000 foo : [256] Char
and if i remember correctly again an underscore issue
(though last time i posted about a probable underscore problem in some
other extension command i remember someone posting back “you are right
and you are wrong too” not sure what that meant though)
On 5/16/12, raj_r wrote:
> windbg and handle from sysinternals should tell you which file is open
>
> i plugged in a usb massstorage device and did
>
> !driveinfo g:
> !devobj (you will get a ref count it was 11
> for me when no files were open)
> !vpb on again ref count was 11
>
> now opened a cmd prompt cd g: created a dir and created a text file
> in that directory and opened it in edit.com
>
> came back to lkd
> did a !devobj and !vpb (ref count increased by 1)
>
> and used sysinternals handle -a from windbg
>
> an output below
>
> lkd> !driveinfo g:
> Drive g:, DriveObject e15d7460
> Directory Object: e10054f8 Name: G:
> Target String is ‘\Device\Harddisk2\DP(1)0-0+c’
> Drive Letter Index is 7 (G:)
> Volume DevObj: 86bca4a0
> Vpb: 85c27828 DeviceObject: 863e9020
> FileSystem: \FileSystem\Ntfs
> Cannot get ntfs!VOLUME_DEVICE_OBJECT.Vcb @ 863e9020
> lkd> !devobj 86bca4a0
> Device object (86bca4a0) is for:
> DP(1)0-0+c \Driver\Disk DriverObject 86d5e690
> Current Irp 00000000 RefCount 12 Type 00000007 Flags 00003050
> Vpb 85c27828 Dacl e10221c4 DevExt 86bca558 DevObjExt 86bca808 Dope
> 86cb75a0 DevNode 8640e220
> ExtensionFlags (0000000000)
> Device queue is not busy.
> lkd> !vpb 85c27828
> Vpb at 0x85c27828
> Flags: 0x1 mounted
> DeviceObject: 0x863e9020
> RealDevice: 0x86bca4a0
> RefCount: 12
> Volume Label:
> lkd> .shell F:\SysinternalsSuite\handle -a harddisk2
> <.shell waiting 1 second(s) for process>
>
> Handle v3.41
> Copyright (C) 1997-2008 Mark Russinovich
> Sysinternals - www.sysinternals.com
>
> System pid: 4 272C: \Device\Harddisk2
> cmd.exe pid: 188 C:
> \Device\Harddisk2\DP(1)0-0+c\checkfsctlforbillywu
> ntvdm.exe pid: 3876 D8: \Device\Harddisk2\DP(1)0-0+c\CHECKF~1
> .shell: Process exited
> Press ENTER to continue
>
> also trying to populate the volumeinfo using dmadmin gives an
> access_denied in procmon output
>
> Date & Time: 16/05/2012 19:13:55
> Event Class: File System
> Operation: IRP_MJ_FILE_SYSTEM_CONTROL
> Result: ACCESS DENIED
> Path: G:
> TID: 3232
> Duration: 0.0093915
> Control: FSCTL_LOCK_VOLUME
>
> see if that helps
>
>
> On 5/16/12, xxxxx@gmail.com wrote:
>> I lock a volume through FSCTL_LOCK_VOLUME IoControl. sometimes it is
>> failed
>> since there are some open files on it.
>> I want to know who opened the files on this volume.
>>
>>
>> —
>> WINDBG is sponsored by OSR
>>
>> For our schedule of WDF, WDM, debugging and other seminars visit:
>> http://www.osr.com/seminars
>>
>> To unsubscribe, visit the List Server section of OSR Online at
>> http://www.osronline.com/page.cfm?name=ListServer
>>
>
sorry this was not an underscore problem this is a case of typeinfo
not available
or declared differently in public pdb
00B3DAD8 863E9020 |Arg1 = 863E9020
00B3DADC FFFFFFFF |Arg2 = FFFFFFFF
00B3DAE0 1002E940 |Arg3 = 1002E940 ASCII “ntfs!VOLUME_DEVICE_OBJECT”
00B3DAE4 1002E95C |Arg4 = 1002E95C ASCII “Vcb.TotalClusters”
00B3DAE8 00000008 |Arg5 = 00000008
00B3DAEC 00B3DB7C \Arg6 = 00B3DB7C
00B3DAE4 1002E910 ASCII "Cannot get ntfs!VOLUME_DEVICE_OBJECT.Vcb @ %p
"
this is declared as so the extension fails
lkd> dt -b Ntfs!_VOLUME_DEVICE_OBJECT vcb.foo 863E9020
+0x0cc Vcb :
+0x000 foo : “”
[00] 0 ‘’
[01] 0 ‘’
[02] 0 ‘’
[03] 0 ‘’
[04] -16 ‘’
[05] -112 ‘’
[06] 62 ‘>’
[07] -122 ‘’
[08] -16 ‘’
[09] -112 ‘’
[10] 62 ‘>’
[11] -122 ‘’
[12] 0 ‘’
[13] 0 ‘’
On 5/16/12, raj_r wrote:
> btw if someone from ms is reading this
>
> this !driveinfo extension cant get the typeinfo for _VCB
>
> FileSystem: \FileSystem\Ntfs
> Cannot get ntfs!VOLUME_DEVICE_OBJECT.Vcb @ 863e9020
> lkd> !devobj 86bca4a0
>
> though it seems to exist
>
> lkd> dt Ntfs!_VOLUME_DEVICE_OBJECT vcb.
> +0x0cc Vcb :
> +0x000 foo : [256] Char
>
>
> and if i remember correctly again an underscore issue
>
> (though last time i posted about a probable underscore problem in some
> other extension command i remember someone posting back “you are right
> and you are wrong too” not sure what that meant though)
>
> On 5/16/12, raj_r wrote:
>> windbg and handle from sysinternals should tell you which file is open
>>
>> i plugged in a usb massstorage device and did
>>
>> !driveinfo g:
>> !devobj (you will get a ref count it was 11
>> for me when no files were open)
>> !vpb on again ref count was 11
>>
>> now opened a cmd prompt cd g: created a dir and created a text file
>> in that directory and opened it in edit.com
>>
>> came back to lkd
>> did a !devobj and !vpb (ref count increased by 1)
>>
>> and used sysinternals handle -a from windbg
>>
>> an output below
>>
>> lkd> !driveinfo g:
>> Drive g:, DriveObject e15d7460
>> Directory Object: e10054f8 Name: G:
>> Target String is ‘\Device\Harddisk2\DP(1)0-0+c’
>> Drive Letter Index is 7 (G:)
>> Volume DevObj: 86bca4a0
>> Vpb: 85c27828 DeviceObject: 863e9020
>> FileSystem: \FileSystem\Ntfs
>> Cannot get ntfs!VOLUME_DEVICE_OBJECT.Vcb @ 863e9020
>> lkd> !devobj 86bca4a0
>> Device object (86bca4a0) is for:
>> DP(1)0-0+c \Driver\Disk DriverObject 86d5e690
>> Current Irp 00000000 RefCount 12 Type 00000007 Flags 00003050
>> Vpb 85c27828 Dacl e10221c4 DevExt 86bca558 DevObjExt 86bca808 Dope
>> 86cb75a0 DevNode 8640e220
>> ExtensionFlags (0000000000)
>> Device queue is not busy.
>> lkd> !vpb 85c27828
>> Vpb at 0x85c27828
>> Flags: 0x1 mounted
>> DeviceObject: 0x863e9020
>> RealDevice: 0x86bca4a0
>> RefCount: 12
>> Volume Label:
>> lkd> .shell F:\SysinternalsSuite\handle -a harddisk2
>> <.shell waiting 1 second(s) for process>
>>
>> Handle v3.41
>> Copyright (C) 1997-2008 Mark Russinovich
>> Sysinternals - www.sysinternals.com
>>
>> System pid: 4 272C: \Device\Harddisk2
>> cmd.exe pid: 188 C:
>> \Device\Harddisk2\DP(1)0-0+c\checkfsctlforbillywu
>> ntvdm.exe pid: 3876 D8:
>> \Device\Harddisk2\DP(1)0-0+c\CHECKF~1
>> .shell: Process exited
>> Press ENTER to continue
>>
>> also trying to populate the volumeinfo using dmadmin gives an
>> access_denied in procmon output
>>
>> Date & Time: 16/05/2012 19:13:55
>> Event Class: File System
>> Operation: IRP_MJ_FILE_SYSTEM_CONTROL
>> Result: ACCESS DENIED
>> Path: G:
>> TID: 3232
>> Duration: 0.0093915
>> Control: FSCTL_LOCK_VOLUME
>>
>> see if that helps
>>
>>
>> On 5/16/12, xxxxx@gmail.com wrote:
>>> I lock a volume through FSCTL_LOCK_VOLUME IoControl. sometimes it is
>>> failed
>>> since there are some open files on it.
>>> I want to know who opened the files on this volume.
>>>
>>>
>>> —
>>> WINDBG is sponsored by OSR
>>>
>>> For our schedule of WDF, WDM, debugging and other seminars visit:
>>> http://www.osr.com/seminars
>>>
>>> To unsubscribe, visit the List Server section of OSR Online at
>>> http://www.osronline.com/page.cfm?name=ListServer
>>>
>>
>
thanks raj r,thank you very much for your timely detailed answer. I know how to do it.