pagefile/hiberfil sectors

Navneet_Kaur · November 5, 2010, 1:59am

Is it possible to get the disk sectors corresponding to pagefile/hiberfile in user mode or kernel mode? I tried the code from Mark Roddy’s “adventure in luser land” but got ERROR_SHARING_VIOLATION - looks like these files have been opened for exclusive access. Any pointers? Thank you.

NTDEV-26 · November 5, 2010, 2:26am

Just a thought.
Take a snapshot of volume and try to get extents from the snapshot device.
AFAIK, Extents of these files won’t change in a boot session.

BTW, Why you need extents of these files?

Regards
Deepak

On Fri, Nov 5, 2010 at 11:31 AM, wrote:

> Is it possible to get the disk sectors corresponding to pagefile/hiberfile
> in user mode or kernel mode? I tried the code from Mark Roddy’s “adventure
> in luser land” but got ERROR_SHARING_VIOLATION - looks like these files have
> been opened for exclusive access. Any pointers? Thank you.
>
>
>
> —
> NTFSD is sponsored by OSR
>
> For our schedule of debugging and file system seminars
> (including our new fs mini-filter seminar) visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Navneet_Kaur · November 5, 2010, 5:38am

I tried the following:

1.0 when my lower diskfltr driver receives (IOCTL_SCSI_GET_DUMP_POINTERS) which is before nt!NtCreatePageFile is called.

1.1 Pagefile
ZwCreateFile failed with status = 0xc0000043
IoCreateFile succeeded

1.2 Hiberfil
ZwCreateFile succeeded
IoCreateFile succeeded

2.0 when my lower diskfltr driver receives (IOCTL_SCSI_GET_DUMP_POINTERS) for the second time during boot.

For both hiberfil and pagefile:
ZwCreateFile failed with status = 0xc0000043
IoCreateFile failed with status = 0xc0000043

3.0 DisPatchPnp (DeviceUsageNotification)
ZwCreateFile failed with status = 0xc0000043
IoCreateFile failed with status = 0xc0000043

4.0 when my lower diskfltr driver receives (IOCTL_SCSI_GET_DUMP_POINTERS) before going into hibernation.
for both files:
ZwCreateFile failed with status = 0xc0000043
IoCreateFile succeeded

Thsi is how I’m calling:

status = ZwCreateFile (&handle,
SYNCHRONIZE,
&oa,
&iosb,
NULL,
FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN,
0,
FILE_OPEN,
FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
NULL,
0);

status = IoCreateFile (&handle,
SYNCHRONIZE,
&oa,
&iosb,
0,
FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN,
FILE_SHARE_VALID_FLAGS,
FILE_OPEN,
0,
0,
0,
CreateFileTypeNone,
0,
IO_OPEN_PAGING_FILE);

Now my question is when is the appropriate time to open the handles to these files so that I can use FSCTL_GET_RETRIEVAL_POINTERS to obtain the sectors of these files.

Thank you.