Paging Read and TopLevelIrp

Hi, everyone.

As far as I could understand from my “Windows NT File System Internals” book, having top-level IRP as NULL would mean the I/O request was sent by the user application passing through I/O Manager. I was looking for NULL top-level IRPs to audit the I/O an application is doing, trying to avoid indirect I/O requests like the ones initialed by VMM and Cache Manager.

However, I’m seeing my test application reading a mapped file, which causes a page fault and ends up on VMM sending a paging read IRP to my file system driver.

Although the VMM was the one creating the IRP, the top level IRP remained NULL.

Checking the book again, I saw there is no top level-IRP value for VMM reading data to attend page faults, but only for VMM flushing modified pages to the media.

So, can I assume VMM doing paging read I/O would not change top-level IRP?
Can I exclude these indirect I/O requests from my log by just checking for paging I/O flag?

Regards,
Fernando Roberto da Silva

DriverEntry Kernel Development
http://www.driverentry.com.br

> As far as I could understand from my “Windows NT File System Internals”

book, having top-level IRP as NULL would mean the I/O request
was sent by the user application passing through I/O Manager.

Not really. It means whatever the file system wants it to mean. It is
often taken as shorthand for “I have grabbed the appropriate locks”. File
systems tend to set it before they call into Cc and in the callback (acquire
for lazywrite and its friends).

I was looking for NULL top-level IRPs to audit the I/O an application is
doing, trying to avoid indirect I/O requests like
the ones initialed by VMM and Cache Manager.

Not what that TLA you mean by VMM?

But the the bottom line is that any heuristic derived for TopLevelIrp is
going to be file system dependant. Did someone once tell me that
“pinball/HPFS” didn’t even use it in 3.7?

Can I exclude these indirect I/O requests from my log by just checking for
paging I/O flag?

Can you explain more what your requirements are?

Hi, Rod. Thanks for your help.

Not sure what TLA means, but VMM is Virtual Memory Manager.

I want to log all the I/O an application does on a given file, including cached and non-cached I/O.

However I want to skip the I/O that is initiated by Memory Manager (like page faults, flush of modified pages…) and Cache Manager (like Read-Ahead, Lazy Writer…).

As far as I can recall, all these I/O I wanted to skip are paging I/O. So not logging paging I/O IRPs seems to be the way to go.

Regards,
Fernando Roberto da Silva

DriverEntry Kernel Development
http://www.driverentry.com.br

> Not sure what TLA means, but VMM is Virtual Memory Manager.

Sorry. TLS == Three Letter Acronym.

As far as I can recall, all these I/O I wanted to skip are paging I/O. So
not logging paging I/O IRPs seems to be the way to go.
That would be my suggestion.