Hi, guys!
I met a problem:
I used FileSpy and procmon to track the “save as” function of winword.exe. I found that, when I save a .doc file which is 300MB to a new document, all noncached write of file ‘~WSR0001.tmp’ in the temp path were missing. I can see create, fastwrite, fast read, cleanup, close, however, no noncached write.
I have reproduced this several times, only few chance I can see noncached write,.
Is there something I am overlooking?
Thanks in advance!
Pbably the rename process
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@gmail.com
Sent: Monday, December 01, 2008 9:28 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] Noncached write missing
Hi, guys!
I met a problem:
I used FileSpy and procmon to track the “save as” function of winword.exe. I
found that, when I save a .doc file which is 300MB to a new document, all
noncached write of file ‘~WSR0001.tmp’ in the temp path were missing. I can
see create, fastwrite, fast read, cleanup, close, however, no noncached
write.
I have reproduced this several times, only few chance I can see noncached
write,.
Is there something I am overlooking?
Thanks in advance!
NTFSD is sponsored by OSR
For our schedule debugging and file system seminars
(including our new fs mini-filter seminar) visit:
http://www.osr.com/seminars
You are currently subscribed to ntfsd as: xxxxx@gmail.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
Thanks for reply!
I have ruled out rename operation and searched by FO->FsContext, but found no noncached write either.
Sorry to ask this question, but is there some application filter applied when you are capturing IRPs in filespy?
I checked this and able to see all non cached write on the `wrdxxxx.tmp file.
Check for System process as almost all of non cached IO are issued from this process only.
Yes, my own filter was running when capturing.
I was able to see all non cached write on ‘wrdxxxx.tmp’ too. But the temp
file I mentioned above is ‘~wrsxxxx.tmp’.
Thanks all the same!
2008/12/2
> Sorry to ask this question, but is there some application filter applied
> when you are capturing IRPs in filespy?
> I checked this and able to see all non cached write on the `wrdxxxx.tmp
> file.
>
> Check for System process as almost all of non cached IO are issued from
> this process only.
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> You are currently subscribed to ntfsd as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
Well, I missed that.
In this case it may sounds interesting to you,
these are the logs I received from filespy. I Just create a word file, opened that, typed "=rand( 200, 9 ) and just pressed enter. (No Save or Save As)
1 18:56:09.688 0 System IRP_MJ_WRITE 00000043 E17B10D0 C:\Documents and Settings\aditya.shrivastava\Local Settings\Temp~WRS0000.tmp STATUS_SUCCESS Offset: 00000000-00000000 ToWrite: 10000 Written: 10000
2 18:56:09.688 0 System IRP_MJ_WRITE 00000043 E17B10D0 C:\Documents and Settings\aditya.shrivastava\Local Settings\Temp~WRS0000.tmp STATUS_SUCCESS Offset: 00000000-00008000 ToWrite: 5000 Written: 5000
3 18:56:09.688 0 System IRP_MJ_WRITE 00000043 E17B10D0 C:\Documents and Settings\aditya.shrivastava\Local Settings\Temp~WRS0000.tmp STATUS_SUCCESS Offset: 00000000-0000E000 ToWrite: 4000 Written: 4000
4 18:56:09.688 0 System IRP_MJ_WRITE 00000043 E17B10D0 C:\Documents and Settings\aditya.shrivastava\Local Settings\Temp~WRS0000.tmp STATUS_SUCCESS Offset: 00000000-0001D000 ToWrite: 3000 Written: 3000
5 18:56:09.688 0 System IRP_MJ_WRITE 00000043 E17B10D0 C:\Documents and Settings\aditya.shrivastava\Local Settings\Temp~WRS0000.tmp STATUS_SUCCESS Offset: 00000000-00021000 ToWrite: 1000 Written: 1000
6 18:56:09.688 0 System IRP_MJ_SET_INFORMATION 00000042 E17B10D0 C:\Documents and Settings\aditya.shrivastava\Local Settings\Temp~WRS0000.tmp STATUS_SUCCESS FileEndOfFileInformation EndOfFile: 00000000-00010000
7 18:56:10.688 0 System IRP_MJ_WRITE 00000043 E17B10D0 C:\Documents and Settings\aditya.shrivastava\Local Settings\Temp~WRS0000.tmp STATUS_SUCCESS Offset: 00000000-00010000 ToWrite: 10000 Written: 10000
8 18:56:10.688 0 System IRP_MJ_SET_INFORMATION 00000042 E17B10D0 C:\Documents and Settings\aditya.shrivastava\Local Settings\Temp~WRS0000.tmp STATUS_SUCCESS FileEndOfFileInformation EndOfFile: 00000000-00020000
9 18:56:11.689 0 System IRP_MJ_WRITE 00000043 E17B10D0 C:\Documents and Settings\aditya.shrivastava\Local Settings\Temp~WRS0000.tmp STATUS_SUCCESS Offset: 00000000-00020000 ToWrite: A000 Written: 9BE2
10 18:56:11.689 0 System IRP_MJ_SET_INFORMATION 00000042 E17B10D0 C:\Documents and Settings\aditya.shrivastava\Local Settings\Temp~WRS0000.tmp STATUS_SUCCESS FileEndOfFileInformation EndOfFile: 00000000-00029BE2
Non cached write are there and I have not mentioned that I did not pressed save or save as, so possibly word is not using this file at the time of save operation and that is why you are not able to see any non cached write at that time.
I am Not able to understand why exactly you need it.(apart from curiosity) 
Thanks
Aditya
Typo,
*I already mentioned that I did not pressed save or save as
Hi, Aditya.
I am working on a encrypt/decrypt filesystem minifilter driver.
I found the ‘~wrsxxxx.tmp’ file wasnot encrypted very often. So I tracked
it.
Maybe it is caused by my filter. I am checking my code 
Thanks very much!
Alex.
2008/12/2
> Well, I missed that.
>
> In this case it may sounds interesting to you,
>
> these are the logs I received from filespy. I Just create a word file,
> opened that, typed "=rand( 200, 9 ) and just pressed enter. (No Save or Save
> As)
>
> 1 18:56:09.688 0 System IRP_MJ_WRITE 00000043
> E17B10D0 C:\Documents and Settings\aditya.shrivastava\Local
> Settings\Temp~WRS0000.tmp STATUS_SUCCESS Offset: 00000000-00000000
> ToWrite: 10000 Written: 10000
> 2 18:56:09.688 0 System IRP_MJ_WRITE 00000043
> E17B10D0 C:\Documents and Settings\aditya.shrivastava\Local
> Settings\Temp~WRS0000.tmp STATUS_SUCCESS Offset: 00000000-00008000
> ToWrite: 5000 Written: 5000
> 3 18:56:09.688 0 System IRP_MJ_WRITE 00000043
> E17B10D0 C:\Documents and Settings\aditya.shrivastava\Local
> Settings\Temp~WRS0000.tmp STATUS_SUCCESS Offset: 00000000-0000E000
> ToWrite: 4000 Written: 4000
> 4 18:56:09.688 0 System IRP_MJ_WRITE 00000043
> E17B10D0 C:\Documents and Settings\aditya.shrivastava\Local
> Settings\Temp~WRS0000.tmp STATUS_SUCCESS Offset: 00000000-0001D000
> ToWrite: 3000 Written: 3000
> 5 18:56:09.688 0 System IRP_MJ_WRITE 00000043
> E17B10D0 C:\Documents and Settings\aditya.shrivastava\Local
> Settings\Temp~WRS0000.tmp STATUS_SUCCESS Offset: 00000000-00021000
> ToWrite: 1000 Written: 1000
> 6 18:56:09.688 0 System IRP_MJ_SET_INFORMATION 00000042
> E17B10D0 C:\Documents and Settings\aditya.shrivastava\Local
> Settings\Temp~WRS0000.tmp STATUS_SUCCESS FileEndOfFileInformation
> EndOfFile: 00000000-00010000
> 7 18:56:10.688 0 System IRP_MJ_WRITE 00000043
> E17B10D0 C:\Documents and Settings\aditya.shrivastava\Local
> Settings\Temp~WRS0000.tmp STATUS_SUCCESS Offset: 00000000-00010000
> ToWrite: 10000 Written: 10000
> 8 18:56:10.688 0 System IRP_MJ_SET_INFORMATION 00000042
> E17B10D0 C:\Documents and Settings\aditya.shrivastava\Local
> Settings\Temp~WRS0000.tmp STATUS_SUCCESS FileEndOfFileInformation
> EndOfFile: 00000000-00020000
> 9 18:56:11.689 0 System IRP_MJ_WRITE 00000043
> E17B10D0 C:\Documents and Settings\aditya.shrivastava\Local
> Settings\Temp~WRS0000.tmp STATUS_SUCCESS Offset: 00000000-00020000
> ToWrite: A000 Written: 9BE2
> 10 18:56:11.689 0 System IRP_MJ_SET_INFORMATION 00000042
> E17B10D0 C:\Documents and Settings\aditya.shrivastava\Local
> Settings\Temp~WRS0000.tmp STATUS_SUCCESS FileEndOfFileInformation
> EndOfFile: 00000000-00029BE2
>
> Non cached write are there and I have not mentioned that I did not pressed
> save or save as, so possibly word is not using this file at the time of save
> operation and that is why you are not able to see any non cached write at
> that time.
>
> I am Not able to understand why exactly you need it.(apart from curiosity)
>
>
> Thanks
> Aditya
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> You are currently subscribed to ntfsd as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
The application is probably writing to the cache. The non-cached paging IO for the file will be sent down lazily by memory manager or cache manager, potentially after you have seen a cleanup for the file. The paging IO could potentially also come down on a different file object corresponding to the same stream.
Sarosh.
File System Filter Lead
Microsoft Corp
This posting is provided “AS IS” with no warranties, and confers no Rights
Thanks a lot Sarosh, for the explanation. It did help!
Alex.
2008/12/5
> The application is probably writing to the cache. The non-cached paging IO
> for the file will be sent down lazily by memory manager or cache manager,
> potentially after you have seen a cleanup for the file. The paging IO could
> potentially also come down on a different file object corresponding to the
> same stream.
>
> Sarosh.
> File System Filter Lead
> Microsoft Corp
>
> This posting is provided “AS IS” with no warranties, and confers no Rights
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> You are currently subscribed to ntfsd as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>