What are the mechanisms used to write to standard out?

Marc_Cruz · November 23, 2005, 2:45pm

Hi All,

I am using filemon to try to detect the mechanisms of writing to standard
out. Here is what I did:

Start a cmd window
Verify that I have a file: C:\a.txt
Start filemon and filter for cmd.exe and more.exe, Named Pipes, Volumes,
Mailslots, and Network
In the command window, I typed: more a.txt
The contents of the file was displayed in the command window
Reviewed the filemon output

I could did not observe any IRP_MJ_READ and/or IRP_MJ_WRITE.

My question are:

What is the mechanism (IRPs or other things) used to get the content of
C:\a.txt to the command window (i.e what happens internally to the data when
I type more C:\a.txt)? Are there any tools I can use to track this?

Thanks,

Marc

OSR_Community_User · November 23, 2005, 3:16pm

Maybe “more” uses memory-mapped files?

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Marc Cruz”
To: “Windows File Systems Devs Interest List”
Sent: Wednesday, November 23, 2005 10:45 PM
Subject: [ntfsd] What are the mechanisms used to write to standard out?

Hi All,

I am using filemon to try to detect the mechanisms of writing to standard
out. Here is what I did:

1) Start a cmd window
2) Verify that I have a file: C:\a.txt
3) Start filemon and filter for cmd.exe and more.exe, Named Pipes, Volumes,
Mailslots, and Network
4) In the command window, I typed: more a.txt
The contents of the file was displayed in the command window
5) Reviewed the filemon output

I could did not observe any IRP_MJ_READ and/or IRP_MJ_WRITE.

My question are:

1) What is the mechanism (IRPs or other things) used to get the content of
C:\a.txt to the command window (i.e what happens internally to the data when
I type more C:\a.txt)? Are there any tools I can use to track this?

Thanks,

Marc

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Marc_Cruz · November 30, 2005, 12:47am

I’m more curious in the mechanisms of printf. How does the data go from:

printf(“data”);

to being displayed in the console?

What are the system calls it uses, if any?

Thanks,

Marc

On 11/23/05, Maxim S. Shatskih wrote:
>
> Maybe “more” uses memory-mapped files?
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
> ----- Original Message -----
> From: “Marc Cruz”
> To: “Windows File Systems Devs Interest List”
> Sent: Wednesday, November 23, 2005 10:45 PM
> Subject: [ntfsd] What are the mechanisms used to write to standard out?
>
>
> Hi All,
>
> I am using filemon to try to detect the mechanisms of writing to standard
> out. Here is what I did:
>
> 1) Start a cmd window
> 2) Verify that I have a file: C:\a.txt
> 3) Start filemon and filter for cmd.exe and more.exe, Named Pipes,
> Volumes,
> Mailslots, and Network
> 4) In the command window, I typed: more a.txt
> The contents of the file was displayed in the command window
> 5) Reviewed the filemon output
>
> I could did not observe any IRP_MJ_READ and/or IRP_MJ_WRITE.
>
> My question are:
>
> 1) What is the mechanism (IRPs or other things) used to get the content of
> C:\a.txt to the command window (i.e what happens internally to the data
> when
> I type more C:\a.txt)? Are there any tools I can use to track this?
>
> Thanks,
>
> Marc
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

OSR_Community_User · November 30, 2005, 2:32am

> I’m more curious in the mechanisms of printf. How does the data go from:

printf(“data”);
to being displayed in the console?

Why you don’t look into the sources ?
They are available in installation of Visual Studio

L.

OSR_Community_User · November 30, 2005, 10:19am

printf() is something like sprintf() followed by fwrite(stdout)

fwrite(stdout) is write(0, …)

write(0,…) is WriteFile(GetStdHandle(STDOUT)…)

kernel32!WriteFile understands that the handle is the console and calls
CsrClientCallServer to write to the console. This goes to CSRSS process who
owns the console window.

Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

----- Original Message -----
From: “Marc Cruz”
To: “Windows File Systems Devs Interest List”
Sent: Wednesday, November 30, 2005 8:46 AM
Subject: Re: [ntfsd] What are the mechanisms used to write to standard out?

I’m more curious in the mechanisms of printf. How does the data go from:

printf(“data”);

to being displayed in the console?

What are the system calls it uses, if any?

Thanks,

Marc

On 11/23/05, Maxim S. Shatskih wrote:
>
> Maybe “more” uses memory-mapped files?
>
> Maxim Shatskih, Windows DDK MVP
> StorageCraft Corporation
> xxxxx@storagecraft.com
> http://www.storagecraft.com
>
> ----- Original Message -----
> From: “Marc Cruz”
> To: “Windows File Systems Devs Interest List”
> Sent: Wednesday, November 23, 2005 10:45 PM
> Subject: [ntfsd] What are the mechanisms used to write to standard out?
>
>
> Hi All,
>
> I am using filemon to try to detect the mechanisms of writing to standard
> out. Here is what I did:
>
> 1) Start a cmd window
> 2) Verify that I have a file: C:\a.txt
> 3) Start filemon and filter for cmd.exe and more.exe, Named Pipes,
> Volumes,
> Mailslots, and Network
> 4) In the command window, I typed: more a.txt
> The contents of the file was displayed in the command window
> 5) Reviewed the filemon output
>
> I could did not observe any IRP_MJ_READ and/or IRP_MJ_WRITE.
>
> My question are:
>
> 1) What is the mechanism (IRPs or other things) used to get the content of
> C:\a.txt to the command window (i.e what happens internally to the data
> when
> I type more C:\a.txt)? Are there any tools I can use to track this?
>
> Thanks,
>
> Marc
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>
>
>
> —
> Questions? First check the IFS FAQ at
> https://www.osronline.com/article.cfm?id=17
>
> You are currently subscribed to ntfsd as: xxxxx@gmail.com
> To unsubscribe send a blank email to xxxxx@lists.osr.com
>

—
Questions? First check the IFS FAQ at
https://www.osronline.com/article.cfm?id=17

You are currently subscribed to ntfsd as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com