Hi All,
In my minifilter I’m monitoring the process of saving TXT file to an empty USB PenDrive (an instance of my minifilter is attached only to that drive). The PenDrive is just formatted. I’m using Notepad. The file is 16385 bytes long. It is combined of repeating patterns of numbers (so I can easily check buffer content). My minifilter send all paramaters of the IRP_MJ_WRITE Pre & Post procedures to the debugger. I can easily locate these IRP_MJ_WRITE operations which are responsible for the following steps:
- A user application (Notepad) requesting to save 16385 bytes.
Pre Write Entered - Callback Data ID: 821FB984
Pre Write - IRP_NOCACHE = 0
Pre Write - IRP_PAGING_IO = 0
Pre Write - IRP_SYNCHRONOUS_PAGING_IO = 0
Pre Write - IRP_BUFFERED_IO = 0
Pre Write - IRP_INPUT_OPERATION = 0
Pre Write - Synchronous operation
Pre Write - Requested to write 16385 bytes starting at offset 0
Pre Write Abandoned - Callback Data ID: 821FB984
- VMM requesting to write 20480 bytes starting at offset 0 (filesize rounded to 5 pages).
Pre Write Entered - Callback Data ID: 81EDCED4
Pre Write - IRP_NOCACHE = 1
Pre Write - IRP_PAGING_IO = 1
Pre Write - IRP_SYNCHRONOUS_PAGING_IO = 1
Pre Write - IRP_BUFFERED_IO = 0
Pre Write - IRP_INPUT_OPERATION = 1
Pre Write - Synchronous operation
Pre Write - Requested to write 20480 bytes starting at offset 0
Pre Write Abandoned - Callback Data ID: 81EDCED4
- FSD confirming writing 16385 bytes to the VMM.
Post Write Entered - Callback Data ID: 81EDCED4
Post Write - Bytes written: 16385
Post Write Abandoned - Callback Data ID: 81EDCED4
- FSD confirming writing 16385 bytes to a user application (Notepad).
Post Write Entered - Callback Data ID: 821FB984
Post Write - Bytes written: 16385
Post Write Abandoned - Callback Data ID: 821FB984
But I also get other IRP_MJ_WRITE requests which I can’t interpret (apart from requests connected with folders which I can filter out using FltIsDirectory). These are always the same and look look like this (I got three of them during saving the file mentioned above):
Pre Write Entered - Callback Data ID: 81DD3834
Pre Write - IRP_NOCACHE = 1
Pre Write - IRP_PAGING_IO = 1
Pre Write - IRP_SYNCHRONOUS_PAGING_IO = 1
Pre Write - IRP_BUFFERED_IO = 0
Pre Write - IRP_INPUT_OPERATION = 1
Pre Write - Synchronous operation
Pre Write - Requested to write 4096 bytes starting at offset 16384
Pre Write Abandoned - Callback Data ID: 81DD3834
Post Write Entered - Callback Data ID: 81DD3834
Post Write - Bytes written: 4096
Post Write Abandoned - Callback Data ID: 81DD3834
The contents of the original buffers in these requests is always similiar and contains repeating sequences like this:
… …!..
"…#…$…%…&
…'…(…)…*.
…+…,…-…
./…0…1…2…
3…4…
For sure this has nothing in common with the contents of the file being saved.
Can anyone help me with interpreting these? Is it possible to filter them out?
Thanks,
Konrad
Hi,
But I also get other IRP_MJ_WRITE requests which I can’t interpret
Pre Write - Requested to write 4096 bytes starting at offset 16384
It is not clear whether this is a request for your .txt file or another
file.
If this is a request to another file then this is a flushing of FSD’s data.
FSDs use the cache to map their internal data and files.
–
Slava Imameyev, xxxxx@hotmail.com
wrote in message news:xxxxx@ntfsd…
> Hi All,
>
> In my minifilter I’m monitoring the process of saving TXT file to an empty
> USB PenDrive (an instance of my minifilter is attached only to that
> drive). The PenDrive is just formatted. I’m using Notepad. The file is
> 16385 bytes long. It is combined of repeating patterns of numbers (so I
> can easily check buffer content). My minifilter send all paramaters of the
> IRP_MJ_WRITE Pre & Post procedures to the debugger. I can easily locate
> these IRP_MJ_WRITE operations which are responsible for the following
> steps:
>
> 1. A user application (Notepad) requesting to save 16385 bytes.
>
> Pre Write Entered - Callback Data ID: 821FB984
> Pre Write - IRP_NOCACHE = 0
> Pre Write - IRP_PAGING_IO = 0
> Pre Write - IRP_SYNCHRONOUS_PAGING_IO = 0
> Pre Write - IRP_BUFFERED_IO = 0
> Pre Write - IRP_INPUT_OPERATION = 0
> Pre Write - Synchronous operation
> Pre Write - Requested to write 16385 bytes starting at offset 0
> Pre Write Abandoned - Callback Data ID: 821FB984
>
> 2. VMM requesting to write 20480 bytes starting at offset 0 (filesize
> rounded to 5 pages).
>
> Pre Write Entered - Callback Data ID: 81EDCED4
> Pre Write - IRP_NOCACHE = 1
> Pre Write - IRP_PAGING_IO = 1
> Pre Write - IRP_SYNCHRONOUS_PAGING_IO = 1
> Pre Write - IRP_BUFFERED_IO = 0
> Pre Write - IRP_INPUT_OPERATION = 1
> Pre Write - Synchronous operation
> Pre Write - Requested to write 20480 bytes starting at offset 0
> Pre Write Abandoned - Callback Data ID: 81EDCED4
>
> 3. FSD confirming writing 16385 bytes to the VMM.
>
> Post Write Entered - Callback Data ID: 81EDCED4
> Post Write - Bytes written: 16385
> Post Write Abandoned - Callback Data ID: 81EDCED4
>
> 4. FSD confirming writing 16385 bytes to a user application (Notepad).
>
> Post Write Entered - Callback Data ID: 821FB984
> Post Write - Bytes written: 16385
> Post Write Abandoned - Callback Data ID: 821FB984
>
> But I also get other IRP_MJ_WRITE requests which I can’t interpret (apart
> from requests connected with folders which I can filter out using
> FltIsDirectory). These are always the same and look look like this (I got
> three of them during saving the file mentioned above):
>
> Pre Write Entered - Callback Data ID: 81DD3834
> Pre Write - IRP_NOCACHE = 1
> Pre Write - IRP_PAGING_IO = 1
> Pre Write - IRP_SYNCHRONOUS_PAGING_IO = 1
> Pre Write - IRP_BUFFERED_IO = 0
> Pre Write - IRP_INPUT_OPERATION = 1
> Pre Write - Synchronous operation
> Pre Write - Requested to write 4096 bytes starting at offset 16384
> Pre Write Abandoned - Callback Data ID: 81DD3834
>
> Post Write Entered - Callback Data ID: 81DD3834
> Post Write - Bytes written: 4096
> Post Write Abandoned - Callback Data ID: 81DD3834
>
> The contents of the original buffers in these requests is always similiar
> and contains repeating sequences like this:
>
> … …!..
> "…#…$…%…&
> …'…(…)…*.
> …+…,…-…
> ./…0…1…2…
> 3…4…
>
> For sure this has nothing in common with the contents of the file being
> saved.
>
> Can anyone help me with interpreting these? Is it possible to filter them
> out?
>
> Thanks,
>
> Konrad
>
I don’t think so. There are no other files on this PenDrive.
K.
FSDs use the Cache Manager to map files and data which descride internal
structure of file system.
You can’t see this file in Explorer.
Print the name of the file!
–
Slava Imameyev, xxxxx@hotmail.com
wrote in message news:xxxxx@ntfsd…
>I don’t think so. There are no other files on this PenDrive.
>
> K.
>
It must be flushing of the FSD’s data as the filename it this callbacks is always NULL. Moreover, if I do even a smallest change in the contents of the buffer for these operations the volume becomes corrupted (only formatting helps).
Therefore, I have the following questions:
-
Is it possible to get rid of these IRP in my PreWrite (are there any special flags for such type of IRPs).
-
If the answer for the above is: NO - is it possible to disallow FSDs using Cache for their internal structures (even at the cost of lower performace)?
Konrad
> 1) Is it possible to get rid of these IRP in my PreWrite (are there any
special flags for such type of IRPs).
Only by a FileObject. The file objects usually have FO_STREAM_FILE flag,
because they are created by IoCreateStreamFileObject.
- Is it possible to get rid of these IRP in my PreWrite (are there any
special flags for such type of IRPs).
This is a built-in functionality of FSDs, they usually use mapping
interface( CcMapData etc. ).
–
Slava Imameyev, xxxxx@hotmail.com
wrote in message news:xxxxx@ntfsd…
> It must be flushing of the FSD’s data as the filename it this callbacks is
> always NULL. Moreover, if I do even a smallest change in the contents of
> the buffer for these operations the volume becomes corrupted (only
> formatting helps).
>
> Therefore, I have the following questions:
> 1) Is it possible to get rid of these IRP in my PreWrite (are there any
> special flags for such type of IRPs).
>
> 2) If the answer for the above is: NO - is it possible to disallow FSDs
> using Cache for their internal structures (even at the cost of lower
> performace)?
>
> Konrad
>