Mm/Cc sends paging writes through r/o FILE_OBJECT

I am little bit surprized. When saving file from notepad (so it is memory-mapped) file I can see that paging writes coming from Cache/Memory Manager are sent through FILE_OBJECT which has read only access. I can see on the stack that it is during IRP_MJ_CLEANUP of another FILE_OBJECT (which has write access), the FSD calls CCFlushSection and paging writes come back with different FO (which has R/O access).
Is it common?
System : windows 7 x64, FSD is miniredirector.

Thanks,
Bronislav Gabrhelik

On 10/6/2010 6:59 AM, xxxxx@xythos.com wrote:

I am little bit surprized. When saving file from notepad (so it is memory-mapped) file I can see that paging writes coming from Cache/Memory Manager are sent through FILE_OBJECT which has read only access. I can see on the stack that it is during IRP_MJ_CLEANUP of another FILE_OBJECT (which has write access), the FSD calls CCFlushSection and paging writes come back with different FO (which has R/O access).
Is it common?
System : windows 7 x64, FSD is miniredirector.

Regardless of how the instance was opened, the first file object that
the underlying file system uses to initiate caching is referenced and
later used for paging.

Pete

Thanks,
Bronislav Gabrhelik


NTFSD is sponsored by OSR

For our schedule of debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer


Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295

>>Regardless of how the instance was opened, the first file object that the underlying file system uses to initiate caching is referenced and later used for paging.

gr8,

I saw it in past but thought that as all checking are done at the time of create and not after that, so one(in this case MM) is free to use a FO opened with “read attribute” to send a “delete” on file.(Which will be honored by FS).

Never knew this is the reason though, so it does a book keeping at the time of cache initialization?

Aditya

> Never knew this is the reason though, so it does a book keeping at the

time of cache initialization?

No, all the book keeping is done above the filesystem, up in IO manager[*].
So a write won’t happen (from usermode) unless the FileObject was opened for
WRITE, but if the cache was initialized using an RO fileobject it will see
paging writes.

[*] The exception here is over the network when the mode of the open will
be policed on the server as well as the client. So whereas you can do writes
in a RO file object to a local FSD it will fail over the network…