This call stack looks as though it is going to the CSC to retrieve the
information. Are you possibly getting into the call path where the cache
exists on the local system?
Pete
–
Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295
------ Original Message ------
From: xxxxx@hotmail.com
To: “Windows File Systems Devs Interest List”
Sent: 1/18/2017 11:52:52 AM
Subject: RE:[ntfsd] Map drive question
>Here is the thread of the Explorer which is enumerating the directory,
>but I can’t tell any special here.
>
>THREAD fffffa800265f060 Cid 0a58.0b9c Teb: 000007fffff52000
>Win32Thread: fffff900c068a010 WAIT: (Executive) KernelMode Alertable
> fffffa8002c6bc10 NotificationEvent
>IRP List:
> fffffa8001b36010: (0006,01f0) Flags: 00060800 Mdl:
>fffffa800283aaf0
>Not impersonating
>DeviceMap fffff8a001a94640
>Owning Process fffffa8001ad2680 Image:
>explorer.exe
>Attached Process N/A Image: N/A
>Wait Start TickCount 4266046 Ticks: 277 (0:00:00:04.328)
>Context Switch Count 572 IdealProcessor: 0
> LargeStack
>UserTime 00:00:00.031
>KernelTime 00:00:00.015
>Win32 Start Address 0x000000007792f6f0
>Stack Init fffff88004546db0 Current fffff880045460d0
>Base fffff88004547000 Limit fffff8800453e000 Call 0
>Priority 11 BasePriority 8 UnusualBoost 0 ForegroundBoost 2 IoPriority
>2 PagePriority 5
>Child-SP RetAddr : Args to Child
> : Call Site
>fffff88004546110 fffff800
026bbe42 : 0000000000000000 <br>>fffffa80
0265f060 fffffa8003f3ec28 fffff880
0000000b :
>nt!KiSwapContext+0x7a
>fffff88004546250 fffff800
026cd1df : fffff8800364b4a8 <br>>fffff880
02612000 0000000000000000 fffffa80
03f3e938 :
>nt!KiCommitThreadWait+0x1d2
>fffff880045462e0 fffff800
029617ee : 0000000000000100 <br>>fffffa80
00000000 0000000000000000 fffff880
02612201 :
>nt!KeWaitForSingleObject+0x19f
>fffff88004546380 fffff800
0296186b : fffffa8003833501 <br>>fffffa80
028409c0 fffffa80038334d0 fffff8a0
01db9da0 :
>nt!FsRtlCancellableWaitForMultipleObjects+0x5e
>fffff880045463e0 fffff880
026931e3 : fffffa8002c6bc10 <br>>fffffa80
03833501 fffffa80028409c0 fffffa80
038334d0 :
>nt!FsRtlCancellableWaitForSingleObject+0x27
>fffff88004546420 fffff880
02680f07 : 0000000000000001 <br>>fffff8a0
00000000 fffffa8000010000 fffff800
00000025 :
>mrxsmb20!MRxSmb2EnumerateDirectoryFromCache+0x2ab
>fffff880045464d0 fffff880
03a5d4f3 : 0000000000010000 <br>>00000000
00010000 fffff8a00a195b00 fffff8a0
0a195b00 :
>mrxsmb20!MRxSmb2QueryDirectory+0x1b
>fffff88004546520 fffff880
0365dd52 : fffffa80028409c0 <br>>fffffa80
01b36001 fffffa8000000000 fffffa80
00010000 :
>csc!CscQueryDirectory+0x49f
>fffff88004546630 fffff880
0365df9f : fffffa80028409c0 <br>>fffffa80
01b36010 fffff8a00a195b00 00000000
00000025 :
>rdbss!RxQueryDirectory+0x682
>fffff880045466d0 fffff880
03633684 : 0000000000000000 <br>>fffff880
04546770 fffffa80028409c0 00000000
00000001 :
>rdbss!RxCommonDirectoryControl+0xeb
>fffff88004546730 fffff880
03650b44 : fffffa8001b36010 <br>>fffffa80
0394d00c 00000000c0000016 fffffa80
01b36010 :
>rdbss!RxFsdCommonDispatch+0x870
>fffff88004546820 fffff880
026202bc : fffffa8001b36010 <br>>00000000
c0000016 fffffa8001b36170 fffffa80
0394d040 :
>rdbss!RxFsdDispatch+0x224
>fffff88004546890 fffff880
019e6271 : fffffa8003ebf010 <br>>fffffa80
01b36010 fffffa8003e9f780 fffff8a0
001269e0 :
>mrxsmb!MRxSmbFsdDispatch+0xc0
>fffff880045468d0 fffff880
019e4138 : fffff8a0001269e0 <br>>fffffa80
03ebf010 0000000000000001 00000000
00000000 :
>mup!MupiCallUncProvider+0x161
>fffff88004546940 fffff880
019e4b0d : fffffa8001b36010 <br>>fffff880
019e2110 fffffa8002678890 00000000
00000000 :
>mup!MupStateMachine+0x128
>fffff88004546990 fffff880
01038bcf : fffffa8001b361b8 <br>>fffffa80
03ebf010 fffff88004546a20 fffffa80
027e4b60 :
>mup!MupFsdIrpPassThrough+0x12d
>fffff880045469e0 fffff880
010376df : fffffa8002801640 <br>>fffffa80
02678890 fffffa8002801600 fffffa80
01b36010 :
>fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f
>fffff88004546a70 fffff800
029b3b2a : fffffa8001b36010 <br>>fffff880
04546ca0 000000000a3ae368 fffff880
04546bc8 :
>fltmgr!FltpDispatch+0xcf
>fffff88004546ad0 fffff800
026c5693 : fffffa800265f060 <br>>fffff880
04546ca0 000000000a3ae368 fffff880
04546bc8 :
>nt!NtQueryDirectoryFile+0x1aa
>fffff88004546bb0 00000000
7795c08a : 0000000000000000 <br>>00000000
00000000 0000000000000000 00000000
00000000 :
>nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff88004546c20)<br>>00000000
0a3ae348 0000000000000000 : 00000000
00000000
>0000000000000000 00000000
00000000 00000000`00000000 : 0x7795c08a
>
>
>
>—
>NTFSD is sponsored by OSR
>
>
>MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>software drivers!
>Details at http:
>
>To unsubscribe, visit the List Server section of OSR Online at
>http:</http:></http:>