Hello All,
I am attempting to identify memory mapped process/file IO. After studying memory mapping concepts for a while, I am stuck at following questions:
-
Is it possible to track the memory manager / cache manager mechanism of creating page/file map for mapping sections?
-
Can we use CcInitializeCacheMap api to replace existing cache maps with our callbacks? if not is there any alternative?
-
Do Mapped/Modified page writer or Lazy writer complete the task of writing to mapped sections?
-
How can we know if Prototype Page Table has been created in the process? is there any event/callback object?
Please help with references, sample codes, methods and approaches that can be used to address the challenge.
> 1) Is it possible to track the memory manager / cache manager mechanism of creating page/file
map for mapping sections?
In FltMgr there is “acquire for section synchronization” for this.
- Can we use CcInitializeCacheMap api to replace existing cache maps with our callbacks? if not
is there any alternative?
No. You cannot replace any callbacks.
- Do Mapped/Modified page writer or Lazy writer complete the task of writing to mapped
sections?
Usually yes, but there is also FlushViewOfFile, when the caller’s thread writes the pages.
- How can we know if Prototype Page Table has been created in the process? is there any
event/callback object?
No ways. This is internal implementation detail, widely different across Windows versions, so you should not bother with it.
I’m not even sure PPTE tables are still there in 2012 R2/8.1
–
Maxim S. Shatskih
Microsoft MVP on File System And Storage
xxxxx@storagecraft.com
http://www.storagecraft.com