Trace the sfilter, get the debug string say a lot of the same file name.

NTFSD
1

there are too many of the follow:

5:01:03 PM Default PkFilter!PadLockFilterDisplayCreateFileName:
Opened 00000000:00000001 \Device\HarddiskVolume1
\Documents and Settings\brilly\
5:01:03 PM Default PkFilter!PadLockFilterDisplayCreateFileName:
Opened 00000000:00000001 \Device\HarddiskVolume1\Documents and
Settings\brilly\
5:01:03 PM Default PkFilter!PadLockFilterDisplayCreateFileName:
Opened 00000000:00000001 \Device\HarddiskVolume1\Documents and
Settings\brilly\

why open a file or directory show so much times?

2

There is an excellent SOSP paper (December 1999 as I recall) that
describes some really interesting numbers about the “lifetime” of open
file instances. As I recall, the typical file is open for 4 ms.

This is largely a product of the Win32 API, because it is name based,
while the file system API is handle based. So a single Win32 API call
can easily translate into numerous calls to the file system - open the
file, perform the operation, close the file (this translates to
IRP_MJ_CREATE, IRP_MJ_XXX for the operation, IRP_MJ_CLEANUP and
IRP_MJ_CLOSE). So an application might perform three different
operations in a row and this transaltes into twelve IRPs to the file
system.

Now, this begs the question of why the Win32 layer doesn’t try to cache
last handle (it sure seems like it would be trivial to keep the last
handle you used open and then when a new operation comes in say “does
the name match” and if it does, use that handle, and if it does not,
discard that handle. But not even the file systems folks here on the
list probably have much insight into the twisted minds of the Win32
programmers!)

Regards,

Tony

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of cnmmd
Sent: Wednesday, July 07, 2004 3:09 AM
To: ntfsd redirect
Subject: [ntfsd] Trace the sfilter, get the debug string say a lot of
the same file name.

there are too many of the follow:

5:01:03 PM Default PkFilter!PadLockFilterDisplayCreateFileName:
Opened 00000000:00000001 \Device\HarddiskVolume1 \Documents and
Settings\brilly\
5:01:03 PM Default PkFilter!PadLockFilterDisplayCreateFileName:
Opened 00000000:00000001 \Device\HarddiskVolume1\Documents and
Settings\brilly\
5:01:03 PM Default PkFilter!PadLockFilterDisplayCreateFileName:
Opened 00000000:00000001 \Device\HarddiskVolume1\Documents and
Settings\brilly\

why open a file or directory show so much times?

Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@osr.com To unsubscribe
send a blank email to xxxxx@lists.osr.com