Question on storage filter drivers

Hi All,

I am trying to write a storage filter driver to monitor / capture disk
reads / writes. I would like to ignore any activity corresponding to
both pagefile.sys and hiberfile.sys.

One idea was to get the ‘extents’ of these files so I can ignore any
activity in those spans. However, I can not use
FSCTL_GET_RETRIEVAL_POINTERS w/o opening pagefile.sys (or hiberfile.sys)
and I can not open these files because of sharing failure.

What, if any, is the best way to know if a disk read / write is targeted
to one of these files?

Thanks in advance,
Udas

HIBERFIL is never written using the usual path, so, your code will not see
it anyway.
PAGEFILE is written using usual paging IO, but you can do
QUERY_RETRIEVAL_POINTERS on in in the FSF in the CREATE path up - after the
underlying FSD have just opened the file.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “udas2980”
Newsgroups: ntdev
To: “Windows System Software Devs Interest List”
Sent: Saturday, July 09, 2005 5:32 AM
Subject: [ntdev] Question on storage filter drivers

> Hi All,
>
> I am trying to write a storage filter driver to monitor / capture disk
> reads / writes. I would like to ignore any activity corresponding to
> both pagefile.sys and hiberfile.sys.
>
> One idea was to get the ‘extents’ of these files so I can ignore any
> activity in those spans. However, I can not use
> FSCTL_GET_RETRIEVAL_POINTERS w/o opening pagefile.sys (or hiberfile.sys)
> and I can not open these files because of sharing failure.
>
> What, if any, is the best way to know if a disk read / write is targeted
> to one of these files?
>
> Thanks in advance,
> Udas
>
> —
> Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com

> FSCTL_GET_RETRIEVAL_POINTERS w/o opening pagefile.sys (or hiberfile.sys)

and I can not open these files because of sharing failure.

Tried this?

Result = IoCreateFile(&PageFileHandle, SYNCHRONIZE,
&PageFileObjectAttributes, &IoStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN, FILE_SYNCHRONOUS_IO_NONALERT,
NULL, 0, 0, NULL, IO_NO_PARAMETER_CHECKING | IO_OPEN_PAGING_FILE);

“udas2980” wrote in message news:xxxxx@ntdev…
> Hi All,
>
> I am trying to write a storage filter driver to monitor / capture disk
> reads / writes. I would like to ignore any activity corresponding to both
> pagefile.sys and hiberfile.sys.
>
> One idea was to get the ‘extents’ of these files so I can ignore any
> activity in those spans. However, I can not use
> FSCTL_GET_RETRIEVAL_POINTERS w/o opening pagefile.sys (or hiberfile.sys)
> and I can not open these files because of sharing failure.
>
> What, if any, is the best way to know if a disk read / write is targeted
> to one of these files?
>
> Thanks in advance,
> Udas
>

Have you thought about MiExtendPagingFiles? Does what it says on the tin!

“udas2980” wrote in message news:xxxxx@ntdev…
> Hi All,
>
> I am trying to write a storage filter driver to monitor / capture disk
> reads / writes. I would like to ignore any activity corresponding to both
> pagefile.sys and hiberfile.sys.
>
> One idea was to get the ‘extents’ of these files so I can ignore any
> activity in those spans. However, I can not use
> FSCTL_GET_RETRIEVAL_POINTERS w/o opening pagefile.sys (or hiberfile.sys)
> and I can not open these files because of sharing failure.
>
> What, if any, is the best way to know if a disk read / write is targeted
> to one of these files?
>
> Thanks in advance,
> Udas
>

> HIBERFIL is never written using the usual path
Do you mean that writes to hiberfil do not go through, say, atapi.sys?
[Seems natural, because atapi’s status is part of what we trying to save in
hiberfil]

Are there any other cases when such thing (a write that circumvents disk.sys
and what sits below it) may happen?

Thanks in advance,
Alex

----- Original Message -----
From: “Maxim S. Shatskih”
To: “Windows System Software Devs Interest List”
Sent: Saturday, July 09, 2005 12:41 PM
Subject: Re: [ntdev] Question on storage filter drivers

> HIBERFIL is never written using the usual path, so, your code will not
> see
> it anyway.
> PAGEFILE is written using usual paging IO, but you can do
> QUERY_RETRIEVAL_POINTERS on in in the FSF in the CREATE path up - after
> the
> underlying FSD have just opened the file.
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
> ----- Original Message -----
> From: “udas2980”
> Newsgroups: ntdev
> To: “Windows System Software Devs Interest List”
> Sent: Saturday, July 09, 2005 5:32 AM
> Subject: [ntdev] Question on storage filter drivers
>
>
>> Hi All,
>>
>> I am trying to write a storage filter driver to monitor / capture disk
>> reads / writes. I would like to ignore any activity corresponding to
>> both pagefile.sys and hiberfile.sys.
>>
>> One idea was to get the ‘extents’ of these files so I can ignore any
>> activity in those spans. However, I can not use
>> FSCTL_GET_RETRIEVAL_POINTERS w/o opening pagefile.sys (or hiberfile.sys)
>> and I can not open these files because of sharing failure.
>>
>> What, if any, is the best way to know if a disk read / write is targeted
>> to one of these files?
>>
>> Thanks in advance,
>> Udas
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@bellsouth.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

Hibernation and writing crash dumps are done via an alternative disk I/O
stack.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@Home
Sent: Saturday, July 09, 2005 6:34 PM
To: ntdev redirect
Subject: Re: [ntdev] Question on storage filter drivers

HIBERFIL is never written using the usual path
Do you mean that writes to hiberfil do not go through, say, atapi.sys?
[Seems natural, because atapi’s status is part of what we trying to save
in
hiberfil]

Are there any other cases when such thing (a write that circumvents
disk.sys
and what sits below it) may happen?

Thanks in advance,
Alex

----- Original Message -----
From: “Maxim S. Shatskih”
To: “Windows System Software Devs Interest List”
Sent: Saturday, July 09, 2005 12:41 PM
Subject: Re: [ntdev] Question on storage filter drivers

> HIBERFIL is never written using the usual path, so, your code will
not
> see
> it anyway.
> PAGEFILE is written using usual paging IO, but you can do
> QUERY_RETRIEVAL_POINTERS on in in the FSF in the CREATE path up -
after
> the
> underlying FSD have just opened the file.
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
> ----- Original Message -----
> From: “udas2980”
> Newsgroups: ntdev
> To: “Windows System Software Devs Interest List”
> Sent: Saturday, July 09, 2005 5:32 AM
> Subject: [ntdev] Question on storage filter drivers
>
>
>> Hi All,
>>
>> I am trying to write a storage filter driver to monitor / capture
disk
>> reads / writes. I would like to ignore any activity corresponding to
>> both pagefile.sys and hiberfile.sys.
>>
>> One idea was to get the ‘extents’ of these files so I can ignore any
>> activity in those spans. However, I can not use
>> FSCTL_GET_RETRIEVAL_POINTERS w/o opening pagefile.sys (or
hiberfile.sys)
>> and I can not open these files because of sharing failure.
>>
>> What, if any, is the best way to know if a disk read / write is
targeted
>> to one of these files?
>>
>> Thanks in advance,
>> Udas
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@bellsouth.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

> I am trying to write a storage filter driver to monitor / capture disk

reads / writes. I would like to ignore any activity corresponding to
both pagefile.sys and hiberfile.sys.

Have you considered just checking for a match with the paging file object in
the file object field in the read/write Irps? Tracking the metadata writes
associated with the paging file (i.e. allocation bitmap writes when a
pagefile expands) is much harder.

The tricky part of capturing ALL the writes to a volume is those last few
that occur at system shutdown. The last writes are caused by the file system
marking the volume as clean. If you need to write that data to the file
system that just went offline, you can no longer use the file system to do
so. The writes that occur on startup are also pretty tricky, as they can be
part of a volume rolling back it’s logging to a consistent state, which all
occurs before the volume is mounted. You also may want to do something to
handle volume defrag. This potentially can write the whole volume (if files
are compacted), although not much data is really changed (only moved).

I’m a bit curious how the volume snapshot facility handles these issues,
since it stores volume updates in a hidden file on the volume. The iSCSI
initiator I believe also may deal with some tricky areas, like system
shutdown (how does it get iSCSI volumes to shutdown before the network stack
goes away).

A hardware card with flash/NVRAM to store volume changes would make all
these issues much easier to deal with.

If you just want to capture the read/write metadata (offset/size), say to
write an activity analyzer of some sort, there is a WMI tracing facility you
can use with no need for a driver.

  • Jan

> Hibernation and writing crash dumps are done via an alternative disk I/O

stack.
That’s what I expected. Otherwise a chicken-egg problem arises: I want to
save
status of everything, including disk.sys and friends, but while I am saving,
disk.sys’s
status is changing.

Crash case is also an expected one, though the logic is kinda opposite: I’d
happily
use disk.sys, but it [or something else that makes it work, for example, the
OS:-)]
is already dead.

Anyway, Tony, thank you for replacing my guesses by knowledge.

There is something else going on though.
Leave hiberfil and memory.dmp aside for a second.

I am trying to not just catch writes, but catch ALL writes, and I am always
missing
a couple (of thousands) of clusters.

Some of these missed clusters refer to the ntuser.dat (or system or
default).

I tried two different filters and ended up by hooking atapi.sys (ok, ok,
just testing).
I see all outgoing SRBs and log them all, but some writes are being missed
still.

I have a reason to believe that this happens not due to some bug.

At first I suspected two undocumented SRB functions (function codes 0xc7 and
0xc8), but
now I am inclined to think that there is some parallel machinery.

That’s why I ask - is there ANY way (except special cases of hiber and
crashes) that the
disk is written to with atapi.sys bypassed?

Here’s the scheme I use:

  1. start with normal w2ksp4 on a virtual PC with one virtual hard drive in a
    w2sp4.vhd file.
    The w2ksp4 boots from an NTFS volume C:.

  2. install the driver and shut down.

  3. copy w2sp4.vhd into w2sp4.0.vhd (“before” state of a disk).

  4. start w2ksp4 (the driver logs writes), let it run for a while, deinstall
    the driver and shut down.

  5. copy w2ksp4.vhd into w2sp4.1.vhd (“after” state of a disk).

  6. modify w2ksp4’s settings, adding w2sp4.0.vhd and w2sp4.1.vhd as 2nd and
    3rd drives,
    respectively.

  7. start w2ksp4 and run user-mode cluster-cluster comparison utility that
    logs changes between
    matching intervals on \.\harddisk1 (“before”) and \.\harddisk2 (“after”).
    These “intervals” are not
    partitions just yet, they will become K: (C: “before”) and L: (C: “after”)
    after one more reboot
    (C: was NTFS, so K: and L: do not appear immediately), but it does not
    matter - I can use disk
    coordinated from C:, since these “intervals” are copies of C: at different
    moments of its lifetime.

  8. compare the logs from steps 4 (what atapi sees) and 7 (actual
    differences).
    Comparison of these two logs shows varying number of modified clusters that
    were not seen by atapi.

Any ideas, suggestions, explanations are welcome.

Regards,
Alex

----- Original Message -----
From: “Tony Mason”
To: “Windows System Software Devs Interest List”
Sent: Saturday, July 09, 2005 6:52 PM
Subject: RE: [ntdev] Question on storage filter drivers

Hibernation and writing crash dumps are done via an alternative disk I/O
stack.

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@Home
Sent: Saturday, July 09, 2005 6:34 PM
To: ntdev redirect
Subject: Re: [ntdev] Question on storage filter drivers

> HIBERFIL is never written using the usual path
Do you mean that writes to hiberfil do not go through, say, atapi.sys?
[Seems natural, because atapi’s status is part of what we trying to save
in
hiberfil]

Are there any other cases when such thing (a write that circumvents
disk.sys
and what sits below it) may happen?

Thanks in advance,
Alex

----- Original Message -----
From: “Maxim S. Shatskih”
To: “Windows System Software Devs Interest List”
Sent: Saturday, July 09, 2005 12:41 PM
Subject: Re: [ntdev] Question on storage filter drivers

> HIBERFIL is never written using the usual path, so, your code will
not
> see
> it anyway.
> PAGEFILE is written using usual paging IO, but you can do
> QUERY_RETRIEVAL_POINTERS on in in the FSF in the CREATE path up -
after
> the
> underlying FSD have just opened the file.
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
> ----- Original Message -----
> From: “udas2980”
> Newsgroups: ntdev
> To: “Windows System Software Devs Interest List”
> Sent: Saturday, July 09, 2005 5:32 AM
> Subject: [ntdev] Question on storage filter drivers
>
>
>> Hi All,
>>
>> I am trying to write a storage filter driver to monitor / capture
disk
>> reads / writes. I would like to ignore any activity corresponding to
>> both pagefile.sys and hiberfile.sys.
>>
>> One idea was to get the ‘extents’ of these files so I can ignore any
>> activity in those spans. However, I can not use
>> FSCTL_GET_RETRIEVAL_POINTERS w/o opening pagefile.sys (or
hiberfile.sys)
>> and I can not open these files because of sharing failure.
>>
>> What, if any, is the best way to know if a disk read / write is
targeted
>> to one of these files?
>>
>> Thanks in advance,
>> Udas
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@bellsouth.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

I believe the volsnap.sys driver gets the retirval pointers (bitmap) of the
file it is going to use and then does direct disk I/O bypassing the file
system. I know of other snapshot drivers that usea similar technique.

Jamey

----- Original Message -----
From: “Jan Bottorff”
To: “Windows System Software Devs Interest List”
Sent: Saturday, July 09, 2005 4:57 PM
Subject: RE: [ntdev] Question on storage filter drivers

> I am trying to write a storage filter driver to monitor / capture disk
> reads / writes. I would like to ignore any activity corresponding to
> both pagefile.sys and hiberfile.sys.

Have you considered just checking for a match with the paging file object in
the file object field in the read/write Irps? Tracking the metadata writes
associated with the paging file (i.e. allocation bitmap writes when a
pagefile expands) is much harder.

The tricky part of capturing ALL the writes to a volume is those last few
that occur at system shutdown. The last writes are caused by the file system
marking the volume as clean. If you need to write that data to the file
system that just went offline, you can no longer use the file system to do
so. The writes that occur on startup are also pretty tricky, as they can be
part of a volume rolling back it’s logging to a consistent state, which all
occurs before the volume is mounted. You also may want to do something to
handle volume defrag. This potentially can write the whole volume (if files
are compacted), although not much data is really changed (only moved).

I’m a bit curious how the volume snapshot facility handles these issues,
since it stores volume updates in a hidden file on the volume. The iSCSI
initiator I believe also may deal with some tricky areas, like system
shutdown (how does it get iSCSI volumes to shutdown before the network stack
goes away).

A hardware card with flash/NVRAM to store volume changes would make all
these issues much easier to deal with.

If you just want to capture the read/write metadata (offset/size), say to
write an activity analyzer of some sort, there is a WMI tracing facility you
can use with no need for a driver.

- Jan


Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: xxxxx@rocketdivision.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

> > HIBERFIL is never written using the usual path

Do you mean that writes to hiberfil do not go through, say, atapi.sys?

Second instance of atapi.sys is loaded just to write HIBERFIL and crash dumps.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

Thanks to all the replies. It is enough to convince ourselves that
hiberfil.sys can’t be skipped w/o a lot of digging.

Tried this?
>
> Result = IoCreateFile(&PageFileHandle, SYNCHRONIZE,
> &PageFileObjectAttributes, &IoStatusBlock, NULL, FILE_ATTRIBUTE_NORMAL,
> FILE_SHARE_READ | FILE_SHARE_WRITE, FILE_OPEN,
FILE_SYNCHRONOUS_IO_NONALERT,
> NULL, 0, 0, NULL, IO_NO_PARAMETER_CHECKING | IO_OPEN_PAGING_FILE);

I tried opening pagefile.sys as above and it opens OK. I will continue
along this line.

Have you thought about MiExtendPagingFiles? Does what it says on the tin!

I am sorry, but I can’t find anything about MiExtendPagingFiles. Can you
please elaborate or post a link to some info?

Thanks again,
Udas