Hello,
I have written a minifilter whose job is to monitor operations that take place on a volume such as read, write. It was working well until I hit the case where an application uses memory mapped files. After reading about memory mapped files I realized that filter manager won’t call my callbacks since from applications view, it’s just plain memory read and memory write. and even when application flushes buffers of file, my filter won’t log any info about this since I am filtering out paging io. So my basic question is can I track down these memory read & memory write operations in my minifilter or do I need to track paging io for this.
I have gone through several threads, FAQ which were related with this but from none I got clear idea of how to go about it.
As I am completely new this field even small help like a link to OSR article, thread related with this could be very useful.
We just had a long conversation about memory mapped files a few weeks ago:
http://www.osronline.com/showThread.CFM?link=215792
-scott
–
Scott Noone
Consulting Associate and Chief System Problem Analyst
OSR Open Systems Resources, Inc.
http://www.osronline.com
wrote in message news:xxxxx@ntfsd…
Hello,
I have written a minifilter whose job is to monitor operations that take
place on a volume such as read, write. It was working well until I hit the
case where an application uses memory mapped files. After reading about
memory mapped files I realized that filter manager won’t call my callbacks
since from applications view, it’s just plain memory read and memory write.
and even when application flushes buffers of file, my filter won’t log any
info about this since I am filtering out paging io. So my basic question is
can I track down these memory read & memory write operations in my
minifilter or do I need to track paging io for this.
I have gone through several threads, FAQ which were related with this but
from none I got clear idea of how to go about it.
As I am completely new this field even small help like a link to OSR
article, thread related with this could be very useful.
hello,
When I map any file from my application and run the application for the first time then this file must be read from the disk, right? So is this read is a paging read (from disk -> main memory, m filtering out paging io) or m getting this completely wrong? Because I can’t see logs about IRP_MJ_READ in my log file when this happens.
Following could be the possibilities:
- It’s a paging read. (Is this the case whenever a file mapped from disk)
- Logs may not b present because of “Prefetch” functionality. (have disabled this for applications)
- I tried to monitor using filespy, and only requests I saw were FASTIO_QUERY_OPEN, FASTIO_QUERY_BASIC_INFO etc. which means everything is there present in cache and there is no need to read from disk. I can’t even see IRP_MJ_READ for my test appl which I guess means everything is in cache only.
What exactly it is?
So when you say that “m filtering out paging io” do you mean that you’re ignoring paging IO or not ? Are you using FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO ? I’m not sure what “m” means… Anyway, if you are setting the FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO flag then you will not see the READ that fetches the data from disk in your minifilter. You could try using ProcMon to see if it sees a read.
Also, do you just map the file or do you also access it ? Just mapping the file won’t actually bring the data in. The actually READ will happen when someone touches the memory for the first time.
Thanks,
Alex.
- “filtering out paging io” means-
I am basically calling FltDoCompletionProcessingWhenSafe() where I actually log the data.
Documentation states that you should not post paging io operations so,
PostCallbackRoutine() {
if (FlagOn(Data->Iopb->IrpFlags, IRP_PAGING_IO)) {
return FLT_POSTOP_FINISHED_PROCESSING;
}
//Call FltDoCompletionProcessingWhenSafe.
}
-
“Are you using FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO ?”
NO
-
“if you are setting the FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO flag then you will not see the READ that fetches the data from disk in your minifilter.”
Does this means it’s paging read? That is what my essential question is.
-
“do you just map the file or do you also access it ? Just mapping the file won’t actually bring the data in.”
I don’t just map the file, but also do some operations.
Yes, the read will be a paging read.
Sent from my iPhone
On Dec 6, 2011, at 11:03 PM, xxxxx@hotmail.com wrote:
- “filtering out paging io” means-
I am basically calling FltDoCompletionProcessingWhenSafe() where I actually log the data.
Documentation states that you should not post paging io operations so,
PostCallbackRoutine() {
if (FlagOn(Data->Iopb->IrpFlags, IRP_PAGING_IO)) {
return FLT_POSTOP_FINISHED_PROCESSING;
}
//Call FltDoCompletionProcessingWhenSafe.
}
-
“Are you using FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO ?”
NO
-
“if you are setting the FLTFL_OPERATION_REGISTRATION_SKIP_PAGING_IO flag then you will not see the READ that fetches the data from disk in your minifilter.”
Does this means it’s paging read? That is what my essential question is.
-
“do you just map the file or do you also access it ? Just mapping the file won’t actually bring the data in.”
I don’t just map the file, but also do some operations.
NTFSD is sponsored by OSR
For our schedule of debugging and file system seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Can you point out some link where I can find some code example “On how to monitor Memory-mapped io”? As of now I am not able to find any sample code just for illustration.
Well, if you just want to monitor it then the passthrough and the minispy samples in the WDK should be a good place to start.
Thanks,
Alex.