questions on FltWriteFile

OSR_Community_User · October 4, 2011, 6:32am

Hello,

I am performing a synchronous write by making following call,
//open file for synchronous IO
iPosition.QuadPart = -1LL;
ntStatusRetVal = FltWriteFile(
FltObjects->Instance,
FileObject,
&iPosition,
pLogEntry->Length,
pLogEntry->Buffer,
FLTFL_IO_OPERATION_DO_NOT_UPDATE_BYTE_OFFSET,
NULL,
NULL,
NULL
);

The documentation says that if you are calling FltCreateFile with FILE_SYNCHRONOUS_IO_ALERT or FILE_SYNCHRONOUS_IO_NONALERT, then current file offset is maintained. but calling FltWriteFile with FLTFL_IO_OPERATION_PAGING or FLTFL_IO_OPERATION_NON_CACHED and NULL for ByteOffset never turned into successful operation. I had to provide -1 for ByteOffset and FLTFL_IO_OPERATION_DO_NOT_UPDATE_BYTE_OFFSET for appending data into file.

So finally does the file offset is maintained or not. Because here I have both contradictory case:
Synchronous write - Maintain offset position
FLTFL_IO_OPERATION_DO_NOT_UPDATE_BYTE_OFFSET
Even after specifying FLTFL_IO_OPERATION_DO_NOT_UPDATE_BYTE_OFFSET, whenever i print currentbyteoffset of fileobject, i get updated offset? This is completely opposite to what doc says.
Let’s say that it maintains file offset. Then if I specify NULL in the call to FltWriteFile it should use its maintained file offset, and append into file on every occasion. But this does not happen. Why?
and finally what kind of a IO operation this FLTFL_IO_OPERATION_DO_NOT_UPDATE_BYTE_OFFSET causes to take place, is it cached IO?

This documentation has really got me confused.

Alex_Carp · October 7, 2011, 2:08pm

Which OS are you trying this on ?

Anyway, to answer your questions:

FLTFL_IO_OPERATION_DO_NOT_UPDATE_BYTE_OFFSET means to not update the byte offset even if the FILE_OBJECT was opened for sync IO. The byte offset is not maintained anyway if the FILE_OBJECT was opened for async IO and so FLTFL_IO_OPERATION_DO_NOT_UPDATE_BYTE_OFFSET has no effect.
When do you print the offset ?
Since you said “that’s not what happens” could you please explain what actually happens ? How exactly did you open the file (which parameters) and how did you write (again, please show the parameters)?
No, FLTFL_IO_OPERATION_DO_NOT_UPDATE_BYTE_OFFSET doesn’t change the type of IO you issue. Instead it stores the current byte offset and sets it back into the FILE_OBJECT after the operation.

My experience has been that when trying to debug what’s going on with the byte offset the break on access (ba) command in the debugger really helps figure out who and when sets it and reads it.

Thanks,
Alex.

OSR_Community_User · October 10, 2011, 2:59am

================================================================
Following Code resides in DriverEntry

RtlInitUnicodeString(&ObjectName, L"\??\C:\logs\minilog.log");
InitializeObjectAttributes(
&ObjectAttributes,
&ObjectName,
OBJ_KERNEL_HANDLE,
NULL,
NULL
);

ntStatusRetVal = FltCreateFile(
RetFilter,
Instance,
&FileHandle,
//&FileObject,
FILE_APPEND_DATA | SYNCHRONIZE,
&ObjectAttributes,
&IoStatusBlock,
NULL,
FILE_ATTRIBUTE_NORMAL,
FILE_SHARE_READ, //| FILE_SHARE_WRITE | FILE_SHARE_DELETE,
FILE_OPEN_IF,
FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT | FILE_SEQUENTIAL_ONLY,
NULL,
0,
IO_FORCE_ACCESS_CHECK
);

ntStatusRetVal = ObReferenceObjectByHandle(
FileHandle,
FILE_WRITE_DATA | FILE_APPEND_DATA | SYNCHRONIZE,
*IoFileObjectType,
KernelMode,
&FileObject,
NULL
);

Following code resides in some function which is called from SafePostCallback

LARGE_INTEGER iPosition;
iPosition.QuadPart = -1LL;
ntStatusRetVal = FltWriteFile(
FltObjects->Instance,
FileObject,
&iPosition,
pLogEntry->Length,
pLogEntry->Buffer,
FLTFL_IO_OPERATION_DO_NOT_UPDATE_BYTE_OFFSET, //What kind of IO is performed when this flag is used?
NULL,
NULL,
NULL
);
DbgPrint(“CurrentByteOffset = %lld”, FileObject->CurrentByteOffset.QuadPart);

OUPUT

CurrentByteOffset = 0
CurrentByteOffset = 1044
CurrentByteOffset = 1316
CurrentByteOffset = 1588
CurrentByteOffset = 1708
CurrentByteOffset = 1876
CurrentByteOffset = 2044
CurrentByteOffset = 2332
CurrentByteOffset = 2604
CurrentByteOffset = 2876

I am building this driver for Windows XP x86.
I guess i have already answered to your 2nd & 3 rd question by posting code.

As you can see I haven’t specifically provided some type of IO, so that bring me to the question what kind of a IO is taking place? Is it cahed IO?
thanks.

OSR_Community_User · October 10, 2011, 3:10am

Before calling FltWrite, some string is constructed using Rtl family functions which is pointed to by pLogEntry.

questions on FltWriteFile

================================================================ Following Code resides in DriverEntry

ntStatusRetVal = ObReferenceObjectByHandle( FileHandle, FILE_WRITE_DATA | FILE_APPEND_DATA | SYNCHRONIZE, *IoFileObjectType, KernelMode, &FileObject, NULL );

Following code resides in some function which is called from SafePostCallback

OUPUT

================================================================
Following Code resides in DriverEntry

ntStatusRetVal = ObReferenceObjectByHandle(
FileHandle,
FILE_WRITE_DATA | FILE_APPEND_DATA | SYNCHRONIZE,
*IoFileObjectType,
KernelMode,
&FileObject,
NULL
);