WriteFile api and results in FileSpy.

NTFSD
1

Hi,

I have written test application to write data into a file and then observing calls in the filespy utility.

for(int nCount = 0; nCount < NUMBER; nCount++)
{
hFile = CreateFile(FileName,GENERIC_READ|GENERIC_WRITE,FILE_SHARE_READ,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);
WriteFile(hFile,cBuffer,(DWORD)(strlen(cBuffer)),&dwLength,NULL)
CloseHandle(hFile);
}

File spy output for NUMBER=1 below:

  1. Create request sent by SYSTEM process and the result returned is STATUS_OBJECT_NAME_NOT_FOUND. FileObject used is F1 [All requests on F1 are in context of System process].
  2. Create request sent by my process. This succeeds. Fileobject is say F2 [All request on F2 are in context of the test application].
  3. Cached write received for the file object F2. [Offset: 0-0 ToWrite: 1A1C60 Written: 1A1C60]
  4. Cleanup received for the file object F2.
  5. Create request is now observed on F1. This is followed by query of basic information.
  6. We then get a cleanup and a close on F1.
  7. Once again there is a create followed by 3 fastio query standard info on F1.
  8. This is again followed by a cleaup and close on F1.
  9. Now a close is seen on F2.
  10. Now I can see the non cached paging write on F1. [Offset: 0-180000 ToWrite: 10000 Written: 10000]
  11. Now I can see non cached set information which sets the end of file [Endoffile: 0-190000].
  12. Again I can see the non cached paging write on F1. [Offset: 0-190000 ToWrite: 10000 Written: 10000]
  13. Again I can see non cached set information which sets the end of file. [Endoffile: 0-1A0000].
  14. Again I can see the non cached paging write on F1. [Offset: 0-1A0000 ToWrite: 2000 Written: 1C60]
  15. Again I can see non cached set information which sets the end of file. [Endoffile: 0-1A1C60]
  16. Close is seen for F1.
  17. After this there is no other call that is seen.

General questions:

  1. Why is request 1 sent?
  2. Why are requests from 5-9 sent?
  3. Why can I see 3 non cached writes and non cached set information? Why could'nt this be done in a single call?
  4. Why does request 10 not start with offset 0. Also I do not understand why the end of file values are the way they are.
  5. If I run this application in a loop [NUMBER=10] and each time the data size written is different its always the case that requests from 10 to 17 are seen only at the end. How is this ensured?
  6. The same is true if I run my application twice simultaneously.
    Now my createfile looked like CreateFile(FileName,GENERIC_WRITE,FILE_SHARE_WRITE,NULL,CREATE_ALWAYS,FILE_ATTRIBUTE_NORMAL,NULL);
    Also sometimes one of the process fails with error that other process is using the file. What are the semantics of FILE_SHARE_WRITE? I read about this in some of the articles but did not get the exact meaning.

File size related questions:

  1. Here I can increase the file size in the request 3 which is a cached write by changing the write length.
  2. In case of request 10 I can insert the header in the file in the file and shift the actual data.
  3. As per the archive posts my header will be of 1 page size.

Thanks,
Trav

2

> 2. In case of request 10 I can insert the header in the file

in the file and shift the actual data.

This looks like another “I want to write data modify filter and
I don’t know how” post.

And the answer will also be like always.

Either buy FS internals book, get some classes about file systems,
search forum, in short get some knowledge. Then you will find
the answers on your own.

Or give it up.

L.

3

Hello Ladislav,

I am sorry if my question gave you that feeling. I am reading a book on FS internals. The book is a daunting 800 page one [I have not even reached the i/o manager chapter] and I would like to get atleast some head start while reading it.

I have also read all the articles with the “encryption and header” in it. Most people suggest adding header to the end but I want to add header at the beginning. There is only one article where you discuss briefly about adding the header at the post create time.

From the archives I have also come to know about lie the offsets / returned information in read write and query / set information calls.

Could you point me where to start looking for relevant information about at what point should the header be inserted? e.g. For trailer this is during the cached setinformation and non paging writes.

Trav