What are \$LogFile, \$BitMap, etc.?

I have a file system filter that records all write data to a special file
for the purpose of mirroring the file system.

The first writes on startup and writes that happen after IRP_MJ_SHUTDOWN are
to files named: $LogFile, $BitMap, $Mft, etc. I’ve checked and no such
files exist anywhere on the volume. What the heck are these?

The names come directly from irpSp->FileObject->FileName with
RelatedFileObject == NULL. When I use ZwQueryInformationFile on the file
objects I get the same names.

The thing that really matters to me is the writes after shutdown. These are
a problem because the logic of my current driver keeps me from writing to my
write log file after shutdown. If these aren’t real files then can I ignore
these writes? In general can I ignore any writes after shutdown is sent to
the fsd?

The volume is NTFS and these are all NTFS internal files ($LogFile is
the NTFS transaction journal, $BitMap is the volume bitmap, $Mft is the
“master file table”). Those files do exist, but they are not accessible
to normal utilities via the file system.

Ignoring these writes just means you’ll discard writes to NTFS
meta-data. Whether that is a good idea or not is your judgment call. I
WILL suggest that if you choose to throw some away, that you throw them
ALL away - that at least preserves transaction correctness for NTFS.

Regards,

Tony Mason

Consulting Partner

OSR Open Systems Resources, Inc.

http://www.osr.com http:</http:>


From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Mark Hahn
Sent: Sunday, March 13, 2005 3:09 AM
To: ntfsd redirect
Subject: [ntfsd] What are $LogFile, $BitMap, etc.?

I have a file system filter that records all write data to a special
file for the purpose of mirroring the file system.

The first writes on startup and writes that happen after IRP_MJ_SHUTDOWN
are to files named: $LogFile, $BitMap, $Mft, etc. I’ve checked and
no such files exist anywhere on the volume. What the heck are these?

The names come directly from irpSp->FileObject->FileName with
RelatedFileObject == NULL. When I use ZwQueryInformationFile on the
file objects I get the same names.

The thing that really matters to me is the writes after shutdown. These
are a problem because the logic of my current driver keeps me from
writing to my write log file after shutdown. If these aren’t real files
then can I ignore these writes? In general can I ignore any writes
after shutdown is sent to the fsd?


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Thanks. When I said “ignoring” I just meant not recording them on my
mirrored file system. I will still pass them on to NTFS.

Is there a way to identify these in general so I can ignore them everywhere?

Also, this should probably be a separate question, but will there ever be
any “real” writes after a IRJ_MJ_SHUTDOWN happens?


“Tony Mason” wrote in message news:xxxxx@ntfsd…
The volume is NTFS and these are all NTFS internal files ($LogFile is the
NTFS transaction journal, $BitMap is the volume bitmap, $Mft is the “master
file table”). Those files do exist, but they are not accessible to normal
utilities via the file system.

Ignoring these writes just means you’ll discard writes to NTFS meta-data.
Whether that is a good idea or not is your judgment call. I WILL suggest
that if you choose to throw some away, that you throw them ALL away - that
at least preserves transaction correctness for NTFS.

Regards,

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com]
On Behalf Of Mark Hahn
Sent: Sunday, March 13, 2005 3:09 AM
To: ntfsd redirect
Subject: [ntfsd] What are $LogFile, $BitMap, etc.?

I have a file system filter that records all write data to a special file
for the purpose of mirroring the file system.

The first writes on startup and writes that happen after IRP_MJ_SHUTDOWN are
to files named: $LogFile, $BitMap, $Mft, etc. I’ve checked and no such
files exist anywhere on the volume. What the heck are these?

The names come directly from irpSp->FileObject->FileName with
RelatedFileObject == NULL. When I use ZwQueryInformationFile on the file
objects I get the same names.

The thing that really matters to me is the writes after shutdown. These are
a problem because the logic of my current driver keeps me from writing to my
write log file after shutdown. If these aren’t real files then can I ignore
these writes? In general can I ignore any writes after shutdown is sent to
the fsd?


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

All of these files have a file ID <16.

When NTFS receives the SHUTDOWN irp it does a flush on each of its
volumes. After this has completed it sets state so that all additional
file operations (including writes) will be failed. A case where I have
seen this happen is when a driver writes to the registry after shutdown.
The registry will attempt to write data to the volume but it will be
failed and the new registry value will be lost.

Neal Christiansen
Microsoft File System Filter Group Lead
This posting is provided “AS IS” with no warranties, and confers no
rights

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Mark Hahn
Sent: Sunday, March 13, 2005 11:15 AM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] What are $LogFile, $BitMap, etc.?

Thanks. When I said “ignoring” I just meant not recording them on my
mirrored file system. I will still pass them on to NTFS.

Is there a way to identify these in general so I can ignore them
everywhere?

Also, this should probably be a separate question, but will there ever
be
any “real” writes after a IRJ_MJ_SHUTDOWN happens?


“Tony Mason” wrote in message news:xxxxx@ntfsd…
The volume is NTFS and these are all NTFS internal files ($LogFile is
the
NTFS transaction journal, $BitMap is the volume bitmap, $Mft is the
“master
file table”). Those files do exist, but they are not accessible to
normal
utilities via the file system.

Ignoring these writes just means you’ll discard writes to NTFS
meta-data.
Whether that is a good idea or not is your judgment call. I WILL
suggest
that if you choose to throw some away, that you throw them ALL away -
that
at least preserves transaction correctness for NTFS.

Regards,

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]
On Behalf Of Mark Hahn
Sent: Sunday, March 13, 2005 3:09 AM
To: ntfsd redirect
Subject: [ntfsd] What are $LogFile, $BitMap, etc.?

I have a file system filter that records all write data to a special
file
for the purpose of mirroring the file system.

The first writes on startup and writes that happen after IRP_MJ_SHUTDOWN
are
to files named: $LogFile, $BitMap, $Mft, etc. I’ve checked and no
such
files exist anywhere on the volume. What the heck are these?

The names come directly from irpSp->FileObject->FileName with
RelatedFileObject == NULL. When I use ZwQueryInformationFile on the
file
objects I get the same names.

The thing that really matters to me is the writes after shutdown. These
are
a problem because the logic of my current driver keeps me from writing
to my
write log file after shutdown. If these aren’t real files then can I
ignore
these writes? In general can I ignore any writes after shutdown is sent
to
the fsd?


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

My mini-filter in general is duplicating every non-cached write operation to
my own transaction file. If I understand what you say about flushing
correctly, then the file system will do a lot of non-cached writes after the
IRP_MJ_SHTDOWN. Can I do cached writes to my file during this flushing? If
not, can I do non-cached writes while it is flushing? You say that it
doesn’t disable writes until after the flush is finished, or did I
misunderstand you?


Neal Christiansen wrote …

All of these files have a file ID <16.

When NTFS receives the SHUTDOWN irp it does a flush on each of its
volumes. After this has completed it sets state so that all additional
file operations (including writes) will be failed. A case where I have
seen this happen is when a driver writes to the registry after shutdown.
The registry will attempt to write data to the volume but it will be
failed and the new registry value will be lost.

Neal Christiansen
Microsoft File System Filter Group Lead
This posting is provided “AS IS” with no warranties, and confers no
rights

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Mark Hahn
Sent: Sunday, March 13, 2005 11:15 AM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] What are $LogFile, $BitMap, etc.?

Thanks. When I said “ignoring” I just meant not recording them on my
mirrored file system. I will still pass them on to NTFS.

Is there a way to identify these in general so I can ignore them
everywhere?

Also, this should probably be a separate question, but will there ever
be
any “real” writes after a IRJ_MJ_SHUTDOWN happens?


“Tony Mason” wrote in message news:xxxxx@ntfsd…
The volume is NTFS and these are all NTFS internal files ($LogFile is
the
NTFS transaction journal, $BitMap is the volume bitmap, $Mft is the
“master
file table”). Those files do exist, but they are not accessible to
normal
utilities via the file system.

Ignoring these writes just means you’ll discard writes to NTFS
meta-data.
Whether that is a good idea or not is your judgment call. I WILL
suggest
that if you choose to throw some away, that you throw them ALL away -
that
at least preserves transaction correctness for NTFS.

Regards,

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]
On Behalf Of Mark Hahn
Sent: Sunday, March 13, 2005 3:09 AM
To: ntfsd redirect
Subject: [ntfsd] What are $LogFile, $BitMap, etc.?

I have a file system filter that records all write data to a special
file
for the purpose of mirroring the file system.

The first writes on startup and writes that happen after IRP_MJ_SHUTDOWN
are
to files named: $LogFile, $BitMap, $Mft, etc. I’ve checked and no
such
files exist anywhere on the volume. What the heck are these?

The names come directly from irpSp->FileObject->FileName with
RelatedFileObject == NULL. When I use ZwQueryInformationFile on the
file
objects I get the same names.

The thing that really matters to me is the writes after shutdown. These
are
a problem because the logic of my current driver keeps me from writing
to my
write log file after shutdown. If these aren’t real files then can I
ignore
these writes? In general can I ignore any writes after shutdown is sent
to
the fsd?


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

----------

After you have seen the pre-shutdown operation it is not safe to do
cached IO because there is no guarantee that it will actually get
written before the file system disables writes. In this situation you
should only do synchronous non-cached IO to your log.

You need to remember what the file system is doing when it receives a
shutdown IRP. They are conceptually dismounting the volume without
actually doing the dismount. This means they want to put the volume
into a consistent state (as if they were dismounting) and when that is
done prevent any additional changes.

Neal Christiansen
Microsoft File System Filter Group Lead
This posting is provided “AS IS” with no warranties, and confers no
rights

-----Original Message-----
From: Mark Hahn [mailto:xxxxx@hahnca.com]
Sent: Thursday, March 24, 2005 11:55 AM
To: xxxxx@lists.osr.com
Cc: Neal Christiansen
Subject: Re: What are $LogFile, $BitMap, etc.?

My mini-filter in general is duplicating every non-cached write
operation to
my own transaction file. If I understand what you say about flushing
correctly, then the file system will do a lot of non-cached writes after
the
IRP_MJ_SHTDOWN. Can I do cached writes to my file during this flushing?
If
not, can I do non-cached writes while it is flushing? You say that it
doesn’t disable writes until after the flush is finished, or did I
misunderstand you?


Neal Christiansen wrote …

All of these files have a file ID <16.

When NTFS receives the SHUTDOWN irp it does a flush on each of its
volumes. After this has completed it sets state so that all additional
file operations (including writes) will be failed. A case where I have
seen this happen is when a driver writes to the registry after shutdown.
The registry will attempt to write data to the volume but it will be
failed and the new registry value will be lost.

Neal Christiansen
Microsoft File System Filter Group Lead
This posting is provided “AS IS” with no warranties, and confers no
rights

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Mark Hahn
Sent: Sunday, March 13, 2005 11:15 AM
To: Windows File Systems Devs Interest List
Subject: Re:[ntfsd] What are $LogFile, $BitMap, etc.?

Thanks. When I said “ignoring” I just meant not recording them on my
mirrored file system. I will still pass them on to NTFS.

Is there a way to identify these in general so I can ignore them
everywhere?

Also, this should probably be a separate question, but will there ever
be
any “real” writes after a IRJ_MJ_SHUTDOWN happens?


“Tony Mason” wrote in message news:xxxxx@ntfsd…
The volume is NTFS and these are all NTFS internal files ($LogFile is
the
NTFS transaction journal, $BitMap is the volume bitmap, $Mft is the
“master
file table”). Those files do exist, but they are not accessible to
normal
utilities via the file system.

Ignoring these writes just means you’ll discard writes to NTFS
meta-data.
Whether that is a good idea or not is your judgment call. I WILL
suggest
that if you choose to throw some away, that you throw them ALL away -
that
at least preserves transaction correctness for NTFS.

Regards,

Tony Mason
Consulting Partner
OSR Open Systems Resources, Inc.
http://www.osr.com

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]
On Behalf Of Mark Hahn
Sent: Sunday, March 13, 2005 3:09 AM
To: ntfsd redirect
Subject: [ntfsd] What are $LogFile, $BitMap, etc.?

I have a file system filter that records all write data to a special
file
for the purpose of mirroring the file system.

The first writes on startup and writes that happen after IRP_MJ_SHUTDOWN
are
to files named: $LogFile, $BitMap, $Mft, etc. I’ve checked and no
such
files exist anywhere on the volume. What the heck are these?

The names come directly from irpSp->FileObject->FileName with
RelatedFileObject == NULL. When I use ZwQueryInformationFile on the
file
objects I get the same names.

The thing that really matters to me is the writes after shutdown. These
are
a problem because the logic of my current driver keeps me from writing
to my
write log file after shutdown. If these aren’t real files then can I
ignore
these writes? In general can I ignore any writes after shutdown is sent
to
the fsd?


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com


Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: xxxxx@windows.microsoft.com
To unsubscribe send a blank email to xxxxx@lists.osr.com

----------