I’m trying to open page file handle from a disk filter driver when I recieve DEVICE_USAGE_NOTIFICATION/DeviceUsageTypePaging. Some times it returns STATUS_SUCCESS but some times I get STATUS_SHARING_VIOLATION. Below is my code. Any pointers what I’m doing wrong? I also tried opening at a much later stage (when system has completely booted) but same results. Thank you.
> I’m trying to open page file handle from a disk filter driver when I recieve DEVICE_USAGE_NOTIFICATION/DeviceUsageTypePaging. Some times it returns STATUS_SUCCESS but some times I get STATUS_SHARING_VIOLATION. Below is my code. Any pointers what I’m doing wrong? I also tried opening at a much later stage (when system has completely booted) but same results. Thank you. > > WCHAR pageFilePath[32] = L"\??\C:\pagefile.sys"; > > RtlInitUnicodeString (&path, pageFilePath); > InitializeObjectAttributes (&oa, > &path, > OBJ_CASE_INSENSITIVE | OBJ_KERNEL_HANDLE, > NULL, > NULL); > > status = IoCreateFile (&handle, > SYNCHRONIZE, > &oa, > &iosb, > NULL, > 0, > 0, > FILE_OPEN, > FILE_SYNCHRONOUS_IO_NONALERT, > NULL, > 0, > CreateFileTypeNone, > NULL, > IO_OPEN_PAGING_FILE | IO_NO_PARAMETER_CHECKING);
You’re trying to “collect the writes/reads to the pagefile” by OPENING the page file? Ahhh… that won’t work. You’d need to FILTER in the storage stack to intercept paging I/O operations in order to “collect the writes/reads” targeted to the page file.
In a disk filter driver you hope to do this by opening (one of) the
pagefile(s)? And then what? What is your next step after ‘open the
page file’?
Mark Roddy
On Fri, Apr 1, 2011 at 7:03 PM, wrote: > I’m trying to collect the writes/reads to pagefile. Thank you. > > — > NTDEV is sponsored by OSR > > For our schedule of WDF, WDM, debugging and other seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer >
This approach is sometimes working (as in I’m able to obtain the proper pagefile LBAs). But most of the time I see createFile fails with STATUS_SHARING_VIOLATION. When I try to open the pagefile before nt!NtCreatePagingFile, I get STATUS_FILE_LOCK_CONFLICT. What is the appropriate time for opening a page file? Thanks you.
And what will you do it the page file size changes? To be safe you need
a file system filter, to which will also allow you to catch the open of
the page file, and get the information you need in a more controlled
way.
> I’m sorry for not being clear. This is my plan – > 1. Open paging file in my disk filter. > 2. Obtain its LBA ranges using retrieval pointers api. > 3. Now that I have the LBA range, I can track the reads/writes to page file. > > Please let me know if my approach is not correct. Thank you.
IIUC, pagefile size change requires a reboot. Currently, I obtain/update this information at every boot. If my understanding is not correct, then probably I have no option but goto file sys filter. Thank you.
In my experience, Pagefile can change size when system is running.
May be you need to check it out.
Under XP and 2003 at least, you can increase the size of a pagefile or
add a new pagefile without requiring a restart. Any decrease of any of
the pagefile parameters requires a reboot though.
Vista or Windows 7 may have gotten smarter and allow changing of all
parameters without a reboot… seems like a kind of dumb limitation.
You might want to re-think some of your testing. Remember, page files can have a RANGE of sizes… start out at size X and grow (dynamically) as big as Y. It’s a parameter you set when you create the page file. Growing the file does NOT require rebooting. In addition, ADDING a page file does not require rebooting.
Yeah… What access are you requesting when you attempt to open the file? You might want to re-consider what access you’re requesting and ask for some access that’s very minor.
The page file is opened share nothing, if I recall correctly. The
system is sort of peculiar about not wanting any other entities
messing with the contents. You should be able to get the extents by
lowering your access requirements, I seem to recall having done this a
while ago to debug a problem I was having in a disk mirroring driver,
and it is possible. You also have to deal with the extents changing
over time - the pagefile can grow and it can be non-contiguous and of
course there can be more than one of them.
Mark Roddy
On Fri, Apr 1, 2011 at 10:13 PM, wrote: > Ok now I understand about the size issue. Thank you Peter. > > Regarding the CreateFile failure my: desiredAccess = SYNCHRONIZE | FILE_READ_ATTRIBUTES and shareAccess = FILE_SHARE_READ | FILE_SHARE_WRITE. > > — > NTDEV is sponsored by OSR > > For our schedule of WDF, WDM, debugging and other seminars visit: > http://www.osr.com/seminars > > To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer >
Yes, agreed. We’ve done it here, too, for one reason or another. You should be able to drop the share requests (you’re not requesting read/write access in any case). Try, hmmm… JUST asking for Synchronize access, that’s about the lowest form of life you can ask for.
Bottom line: What you want to do is do-able, and is even reasonable WITH THE CAVEATS we’ve all given you. Just experiment a little with the requested access and you should be all set.