Hi devs:
I´ve been recently observing the file system level behaviour of an
application that reads a file using file mapping, and found something really
strange: I cannot see any reads.
I used FILEMON to watch the file activity, and the application is V 2000,
the file viewer. This is the filemon log I get when I viev a file (I omiting
some CREATE/QUERY_INFO/CLEANUP/CLOSE sequences that appear before and that
are not relevant):
IRP_MJ_CREATE C:\test.txt SUCCESS Attributes: N Options:
Open
IRP_MJ_QUERY_VOLUME_INFORMATION C:\test.txt SUCCESS FileFsVolumeInformation
IRP_MJ_QUERY_INFORMATION C:\test.txt BUFFER OVERFLOW
FileAllInformation
FASTIO_QUERY_STANDARD_INFO C:\test.txt SUCCESS Size: 6997
FASTIO_QUERY_BASIC_INFO C:\test.txt SUCCESS Attributes: A
IRP_MJ_CLEANUP C:\test.txt SUCCESS
IRP_MJ_CLOSE C:\test.txt SUCCESS
I´ve also experimented a little bit with my filter driver in the same
situation, and found out that the FASTIO_QUERY_STANDARD_INFO comes when the
application calls CreateFileMapping. If I reject the fast I/O request, then
I get the corresponding IRP, which has, as expected, the IRP_PAGING_IO flag
set.
But where are de read requests ?.
As far as I know, when one creates a file mapping, no reads are performed,
but when one tries to read any data from the paged memory area, a page fault
is generated, which is caught by the memory manager, which generates a read
request (which should come with the PAGING_IO flag set) to bring the data
from the mapped file to memory.
My guess is that when the page fault occurs, if the memory manager finds
that the data is already in a loaded page, reuses it thus generating no read
requests.
Another question I have is, if my guess is right: is there a way of
modifying the IRP_MJ_CREATE of a file such that either:
a) No file mapping is allowed for that file (I don´t care if the application
fails) or even GPFs.
b) If a file mapping is performed, no data from the already loaded pages
will be used, so at least I will see the read requests generated by the
memory manager when loading the data into the pages.
Thanks. Nacho.
You are currently subscribed to ntfsd as: $subst(‘Recip.EmailAddr’)
To unsubscribe send a blank email to leave-ntfsd-$subst(‘Recip.MemberIDChar’)@lists.osr.com