Where's the read?

So slightly misleading question because I recognize it is probably a caching issue. But it is frustrating me none-the-less. First, I am testing a minifilter on two systems; one physical and one VM. Both are Windows 7 x64 with similar builds. So the differences are slight.

The issue that I can’t figure out is what the difference actually is that makes the behavior different. When I run the minifilter and corresponding test program on the physical system I only get one IRP_MJ_READ for certain files (I’m filtering executable images) and that’s when I run the test program the first time. When I run the same tests on the VM, I get IRP_MJ_READ’s every time I run the test program so it seems like there is no caching.

I checked the Prefetch/Superfetch settings and they are both the same. So my questions are, what am I overlooking between the two systems that makes the behavior different and how can I make the physical system act like the VM? Thanks.

Do you have the same amount of physical memory in both scenarios? If you have smaller physical memory you have a smaller effective data cache and thus it’s possible to end up with different behavior. If you can reproduce this on FAT, you might also want to compile it from sources (in the WDK) and walk it in the debugger to determine why there is a difference in behavior.

Tony
OSR

Looks like it was a physical memory difference. VM had less and once I increased it I saw similar behavior in the physical machine.

So to the second part of my question, is there a way to prevent certain types of files from being cached or a way to force a file read through some registry setting. Because the question invariably comes up, I need to do this because my driver/service is not guaranteed to run at system boot which means the initial reads will be missed. Thanks.

None that I’ve ever discovered.

Tony
OSR