I’m writing a volume image tool. In order to prevent the pagefile from
beeing saved, I need the clusters allocated to it.
So I tried to CreateFile(“pagefile.sys”, PAGE_SHARE_READ |
PAGE_SHARE_WRITE | PAGE_SHARE_WRITE) and than
DeviceIoControl(FS_CTL_GET_RTRIEVAL_POINTERS).
This approach doesn’t work because CreateFile returned, that the file is
already open by another process.
Does anybody know how to do an FSCTL_GET_RETRIEVAL_POINTERS on the
pagefile?
It seems that pagedefrg.exe (from www.sysinternals.com) does use a
temporary driver to archive this (ie they write a driver pagedefrg.sys
from there .exe), but it is not clear to me, how they obtain the
FILE_OBJECT which is required even on Ring 0 to issue an IRP to the
pagefile.
Any ideas
Ruediger Jungbeck
RSJ Softare GmbH
>> but it is not clear to me, how they obtain the FILE_OBJECT which is
required even on >> Ring 0 to issue an IRP to the
The system pagefile is opened very late in the process of XP booting, at the
request of session manager process. They simply open the file before, do the
work, then close it.
You can do the same thing, retrieve the bitmap at boot time.
Dan
----- Original Message -----
From:
To: “File Systems Developers”
Sent: Monday, August 12, 2002 1:21 PM
Subject: [ntfsd] pagefile cluster list
> I’m writing a volume image tool. In order to prevent the pagefile from
> beeing saved, I need the clusters allocated to it.
>
> So I tried to CreateFile(“pagefile.sys”, PAGE_SHARE_READ |
> PAGE_SHARE_WRITE | PAGE_SHARE_WRITE) and than
> DeviceIoControl(FS_CTL_GET_RTRIEVAL_POINTERS).
>
> This approach doesn’t work because CreateFile returned, that the file is
> already open by another process.
>
> Does anybody know how to do an FSCTL_GET_RETRIEVAL_POINTERS on the
> pagefile?
>
> It seems that pagedefrg.exe (from www.sysinternals.com) does use a
> temporary driver to archive this (ie they write a driver pagedefrg.sys
> from there .exe), but it is not clear to me, how they obtain the
> FILE_OBJECT which is required even on Ring 0 to issue an IRP to the
> pagefile.
>
> Any ideas
>
> Ruediger Jungbeck
> RSJ Softare GmbH
>
> —
> You are currently subscribed to ntfsd as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>
But the tool I’ve seen has its driver installed dynamicly (when the tool
is started, not when system is booted).
Yes, but does it perform any defrag on pagefiles and system hives
dynamically ? I dont think so. I think you must reboot to defrag pagefiles.
You cant just alter the pagefile cluster map while the system activly pages
to it. Does what I say makes any sense ?
If you are a filter driver, you can anyway trap the creation of the
pagefiles , and retrieve the bitmap upon successfull create. There are
multiple ways to accomplish this.
Dan
----- Original Message -----
From:
To: “File Systems Developers”
Sent: Monday, August 12, 2002 6:26 PM
Subject: [ntfsd] Re: pagefile cluster list
> But the tool I’ve seen has its driver installed dynamicly (when the tool
> is started, not when system is booted).
>
> —
> You are currently subscribed to ntfsd as: xxxxx@rdsor.ro
> To unsubscribe send a blank email to %%email.unsub%%
>
> Yes, but does it perform any defrag on pagefiles and system hives
dynamically ? I dont think so.
You can’t defrag it on a live system, but you are able to see how many
fragments there are on the first call of the tool (so they must be able to
read the retrieval pointers).
I think you must reboot to defrag pagefiles.
You cant just alter the pagefile cluster map while the system activly pages
to it. Does what I say makes any sense ?
Yes. But all I want to do is to find out which clusters are in the page
file to prevent these clusters from being saved (because they are
worthless after the volume restore).
If you are a filter driver, you can anyway trap the creation of the
pagefiles , and retrieve the bitmap upon successfull create. There are
multiple ways to accomplish this.
I know, I could install a filter, provoke a page fault and take that file
object but I thought, that there must be an easier (and less risky) way…
I would (of course prefer a pure ring 3 solution)
Ruediger