> Hibernation and writing crash dumps are done via an alternative disk I/O
stack.
That’s what I expected. Otherwise a chicken-egg problem arises: I want to
save
status of everything, including disk.sys and friends, but while I am saving,
disk.sys’s
status is changing.
Crash case is also an expected one, though the logic is kinda opposite: I’d
happily
use disk.sys, but it [or something else that makes it work, for example, the
OS:-)]
is already dead.
Anyway, Tony, thank you for replacing my guesses by knowledge.
There is something else going on though.
Leave hiberfil and memory.dmp aside for a second.
I am trying to not just catch writes, but catch ALL writes, and I am always
missing
a couple (of thousands) of clusters.
Some of these missed clusters refer to the ntuser.dat (or system or
default).
I tried two different filters and ended up by hooking atapi.sys (ok, ok,
just testing).
I see all outgoing SRBs and log them all, but some writes are being missed
still.
I have a reason to believe that this happens not due to some bug.
At first I suspected two undocumented SRB functions (function codes 0xc7 and
0xc8), but
now I am inclined to think that there is some parallel machinery.
That’s why I ask - is there ANY way (except special cases of hiber and
crashes) that the
disk is written to with atapi.sys bypassed?
Here’s the scheme I use:
-
start with normal w2ksp4 on a virtual PC with one virtual hard drive in a
w2sp4.vhd file.
The w2ksp4 boots from an NTFS volume C:.
-
install the driver and shut down.
-
copy w2sp4.vhd into w2sp4.0.vhd (“before” state of a disk).
-
start w2ksp4 (the driver logs writes), let it run for a while, deinstall
the driver and shut down.
-
copy w2ksp4.vhd into w2sp4.1.vhd (“after” state of a disk).
-
modify w2ksp4’s settings, adding w2sp4.0.vhd and w2sp4.1.vhd as 2nd and
3rd drives,
respectively.
-
start w2ksp4 and run user-mode cluster-cluster comparison utility that
logs changes between
matching intervals on \.\harddisk1 (“before”) and \.\harddisk2 (“after”).
These “intervals” are not
partitions just yet, they will become K: (C: “before”) and L: (C: “after”)
after one more reboot
(C: was NTFS, so K: and L: do not appear immediately), but it does not
matter - I can use disk
coordinated from C:, since these “intervals” are copies of C: at different
moments of its lifetime.
-
compare the logs from steps 4 (what atapi sees) and 7 (actual
differences).
Comparison of these two logs shows varying number of modified clusters that
were not seen by atapi.
Any ideas, suggestions, explanations are welcome.
Regards,
Alex
----- Original Message -----
From: “Tony Mason”
To: “Windows System Software Devs Interest List”
Sent: Saturday, July 09, 2005 6:52 PM
Subject: RE: [ntdev] Question on storage filter drivers
Hibernation and writing crash dumps are done via an alternative disk I/O
stack.
Regards,
Tony
Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@Home
Sent: Saturday, July 09, 2005 6:34 PM
To: ntdev redirect
Subject: Re: [ntdev] Question on storage filter drivers
> HIBERFIL is never written using the usual path
Do you mean that writes to hiberfil do not go through, say, atapi.sys?
[Seems natural, because atapi’s status is part of what we trying to save
in
hiberfil]
Are there any other cases when such thing (a write that circumvents
disk.sys
and what sits below it) may happen?
Thanks in advance,
Alex
----- Original Message -----
From: “Maxim S. Shatskih”
To: “Windows System Software Devs Interest List”
Sent: Saturday, July 09, 2005 12:41 PM
Subject: Re: [ntdev] Question on storage filter drivers
> HIBERFIL is never written using the usual path, so, your code will
not
> see
> it anyway.
> PAGEFILE is written using usual paging IO, but you can do
> QUERY_RETRIEVAL_POINTERS on in in the FSF in the CREATE path up -
after
> the
> underlying FSD have just opened the file.
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
> ----- Original Message -----
> From: “udas2980”
> Newsgroups: ntdev
> To: “Windows System Software Devs Interest List”
> Sent: Saturday, July 09, 2005 5:32 AM
> Subject: [ntdev] Question on storage filter drivers
>
>
>> Hi All,
>>
>> I am trying to write a storage filter driver to monitor / capture
disk
>> reads / writes. I would like to ignore any activity corresponding to
>> both pagefile.sys and hiberfile.sys.
>>
>> One idea was to get the ‘extents’ of these files so I can ignore any
>> activity in those spans. However, I can not use
>> FSCTL_GET_RETRIEVAL_POINTERS w/o opening pagefile.sys (or
hiberfile.sys)
>> and I can not open these files because of sharing failure.
>>
>> What, if any, is the best way to know if a disk read / write is
targeted
>> to one of these files?
>>
>> Thanks in advance,
>> Udas
>>
>> —
>> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>>
>> You are currently subscribed to ntdev as: xxxxx@storagecraft.com
>> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
> —
> Questions? First check the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> You are currently subscribed to ntdev as: xxxxx@bellsouth.net
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: xxxxx@osr.com
To unsubscribe send a blank email to xxxxx@lists.osr.com
—
Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256
You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com