Can some one help me in obtaining the opne file handles from the functions
ZwQuerySystemInformation( ) function.
What parameters do I need to pass it?
–
- amitr0
See CAVEATS below, but in the meanwhile…
-
Call ZwQuerySystemInformation with a small byte count to get the size of
the array needed. -
Use this to allocate an array of system handle pointers.
-
Call ZwQuerySystemInformation with the real array to get your system
handles. -
The array consists of an array of pointers to an undocumented structure
called SYSTEM_HANDLE. Look it up. -
Process each system handle.
CAVEATS:
This array is typically VERY large, so be prepared for a lot of work.
There appears to be no good way to determine what the ObjectTypeNumber for a
FileObject is. By trial and error I determined that it seems to be 26 on
Win2K and 28 on XP. The ZwQuerySystemInformation with class of
SystemHandleInformation should do it, but it only works if
FLG_MAINTAIN_OBJECT_TYPELIST is set in NtGlobalFlags at boot time (using the
gflags utility). It is off by default. (Note that the “Type” field in
FILE_OBJECT is 5, which is no help whatsoever.)
Furthermore, this is a snapshot of the system handles at the time of the
call. I have seen cases where the object referenced in the list is no
longer valid by the time I got to it. This resulted in a BSOD with an
access violation. (There may be a way to lock them – not sure.)
Bottom line: I strongly discourage using this. Maybe that’s why it remains
undocumented…?
Ken
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of amitr0
Sent: Friday, January 27, 2006 8:13 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] open file handle
Can some one help me in obtaining the opne file handles from the functions
ZwQuerySystemInformation( ) function.
What parameters do I need to pass it?
–
- amitr0 — Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17 You are currently subscribed to
ntfsd as: unknown lmsubst tag argument: ‘’ To unsubscribe send a blank email
to xxxxx@lists.osr.com
Oops, typo.
I meant that calling “ZwQuerySystemInformation with class of
*SystemObjectInformation* should do it”. That requires that
FLG_MAINTAIN_OBJECT_TYPELIST be set in NtGlobalFlags at boot time.
Ken
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Ken Cross
Sent: Friday, January 27, 2006 10:43 AM
To: Windows File Systems Devs Interest List
Subject: RE: [ntfsd] open file handle
See CAVEATS below, but in the meanwhile…
-
Call ZwQuerySystemInformation with a small byte count to get the size of
the array needed. -
Use this to allocate an array of system handle pointers.
-
Call ZwQuerySystemInformation with the real array to get your system
handles. -
The array consists of an array of pointers to an undocumented structure
called SYSTEM_HANDLE. Look it up. -
Process each system handle.
CAVEATS:
This array is typically VERY large, so be prepared for a lot of work.
There appears to be no good way to determine what the ObjectTypeNumber for a
FileObject is. By trial and error I determined that it seems to be 26 on
Win2K and 28 on XP. The ZwQuerySystemInformation with class of
SystemHandleInformation should do it, but it only works if
FLG_MAINTAIN_OBJECT_TYPELIST is set in NtGlobalFlags at boot time (using the
gflags utility). It is off by default. (Note that the “Type” field in
FILE_OBJECT is 5, which is no help whatsoever.)
Furthermore, this is a snapshot of the system handles at the time of the
call. I have seen cases where the object referenced in the list is no
longer valid by the time I got to it. This resulted in a BSOD with an
access violation. (There may be a way to lock them – not sure.)
Bottom line: I strongly discourage using this. Maybe that’s why it remains
undocumented…?
Ken
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of amitr0
Sent: Friday, January 27, 2006 8:13 AM
To: Windows File Systems Devs Interest List
Subject: [ntfsd] open file handle
Can some one help me in obtaining the opne file handles from the functions
ZwQuerySystemInformation( ) function.
What parameters do I need to pass it?
–
- amitr0 — Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17 You are currently subscribed to
ntfsd as: unknown lmsubst tag argument: ‘’ To unsubscribe send a blank email
to xxxxx@lists.osr.com
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17
You are currently subscribed to ntfsd as: xxxxx@comcast.net
To unsubscribe send a blank email to xxxxx@lists.osr.com
thanks a ton ken!!!
Ken (or even otthers)
can you tell me the ObjectTypeNumber for memory mapped files?
Amitr0
There appears to be no good way to determine what the ObjectTypeNumber for
a
FileObject is. By trial and error I determined that it seems to be 26 on
Win2K and 28 on XP.
No, I can’t. For all the reasons I gave last time, I abandoned this
approach. I recommend the same for you.
Ken
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of amitr0
Sent: Thursday, February 02, 2006 12:39 PM
To: Windows File Systems Devs Interest List
Subject: Re: [ntfsd] open file handle
Ken (or even otthers)
can you tell me the ObjectTypeNumber for memory mapped files?
Amitr0
There appears to be no good way to determine what the ObjectTypeNumber for
a
FileObject is. By trial and error I determined that it seems to be 26 on
Win2K and 28 on XP.
— Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17 You are currently subscribed to
ntfsd as: unknown lmsubst tag argument: ‘’ To unsubscribe send a blank email
to xxxxx@lists.osr.com
hmmm…got to think of another strategy…thanks again!!