Hi everyone,

I am trying to find the meaning of IoControlCode when I use NtDeviceIoControlFile call.
For example, I have the value that came from user space which is ‘4D0008’ and I know that 4D is a DeviceType.
But my problem is that I cannot find how to match this 4D to the type of device. I can see that MSDN lists some of the devices but that is upto 36 so I could not figure out what 4D means.

Can anyone help me to find the information to get the name of devices when I have the value for it?
Or if anyone can at least point to some reference, I will really appreciate it.
Thank you very much in advance.

Ilho <><

Good question, as the 6001.b3 WDK only goes up to 0x41.

I don’t know.

mm

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of xxxxx@trigence.com
Sent: Wednesday, July 18, 2007 12:02
To: Windows System Software Devs Interest List
Subject: [ntdev] How can I find the meaning of IoControlCode?

Hi everyone,

I am trying to find the meaning of IoControlCode when I use
NtDeviceIoControlFile call.
For example, I have the value that came from user space which is
‘4D0008’ and I know that 4D is a DeviceType.
But my problem is that I cannot find how to match this 4D to the type of
device. I can see that MSDN lists some of the devices but that is upto
36 so I could not figure out what 4D means.

Can anyone help me to find the information to get the name of devices
when I have the value for it?
Or if anyone can at least point to some reference, I will really
appreciate it.
Thank you very much in advance.

Ilho <><

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

> I cannot find how to match this 4D to the type of device
4d is ‘M’
From C:\WinDDK\6000\inc\ddk\mountmgr.h:

#define MOUNTDEVCONTROLTYPE ((ULONG) ‘M’)

They do everything to make our lives even more miserable…

-------------- Original message --------------
From: xxxxx@trigence.com

Hi everyone,

I am trying to find the meaning of IoControlCode when I use
NtDeviceIoControlFile call.
For example, I have the value that came from user space which is ‘4D0008’ and I
know that 4D is a DeviceType.
But my problem is that I cannot find how to match this 4D to the type of device.
I can see that MSDN lists some of the devices but that is upto 36 so I could not
figure out what 4D means.

Can anyone help me to find the information to get the name of devices when I
have the value for it?
Or if anyone can at least point to some reference, I will really appreciate it.
Thank you very much in advance.

Ilho <><

---

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

Thank you very much, Mr. Alex!

Ilho <><

xxxxx@trigence.com wrote:

Hi everyone,

I am trying to find the meaning of IoControlCode when I use NtDeviceIoControlFile call.
For example, I have the value that came from user space which is ‘4D0008’ and I know that 4D is a DeviceType.
But my problem is that I cannot find how to match this 4D to the type of device. I can see that MSDN lists some of the devices but that is upto 36 so I could not figure out what 4D means.

4D is the ASCII code for the letter ‘M’. Note the following two
snippets in mountmgr.h:

===
#define MOUNTMGRCONTROLTYPE ((ULONG) ‘m’)
#define MOUNTDEVCONTROLTYPE ((ULONG) ‘M’)
…
//
// The following IOCTL is supported by mounted devices.
//

#define IOCTL_MOUNTDEV_QUERY_DEVICE_NAME
CTL_CODE(MOUNTDEVCONTROLTYPE, 2, METHOD_BUFFERED, FILE_ANY_ACCESS)

What you have is IOCTL_MOUNTDEV_QUERY_DEVICE_NAME.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Damn fine work.

mm

From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of
xxxxx@comcast.net
Sent: Wednesday, July 18, 2007 12:40
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] How can I find the meaning of IoControlCode?

I cannot find how to match this 4D to the type of device

4d is ‘M’

From C:\WinDDK\6000\inc\ddk\mountmgr.h:

#define MOUNTDEVCONTROLTYPE ((ULONG) ‘M’)

They do everything to make our lives even more miserable…

-------------- Original message --------------
From: xxxxx@trigence.com

Hi everyone,
>
> I am trying to find the meaning of IoControlCode when I use
> NtDeviceIoControlFile call.
> For example, I have the value that came from user space which
is ‘4D0008’ and I
> know that 4D is a DeviceType.
> But my problem is that I cannot find how to match this 4D to
the type of device.
> I can see that MSDN lists some of the devices but that is upto
36 so I could not
> figure out what 4D means.
>
> Can anyone help me to find the information to get the name of
devices when I
> have the value for it?
> Or if anyone can at least point to some reference, I will
really appreciate it.
> Thank you very much in advance.
>
> Ilho <><
>
> —
> Questions? First ch! eck the Kernel Driver FAQ at
> http://www.osronline.com/article.cfm?id=256
>
> To unsubscribe, visit the List Server section of OSR Online at

http://www.osronline.com/page.cfm?name=ListServer

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

> ----------

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of xxxxx@comcast.net[SMTP:xxxxx@comcast.net]
Reply To: Windows System Software Devs Interest List
Sent: Wednesday, July 18, 2007 6:40 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] How can I find the meaning of IoControlCode?

> I cannot find how to match this 4D to the type of device
4d is ‘M’
From C:\WinDDK\6000\inc\ddk\mountmgr.h:

#define MOUNTDEVCONTROLTYPE ((ULONG) ‘M’)

They do everything to make our lives even more miserable…

Don’t forget to apply Hanlon’s razor: “Never attribute to malice that which can be adequately explained by stupidity.”

In this case the developer probably enjoyed his smart idea and didn’t even imagine poor DDK users who search for unknown IOCTLs. Ask yourself if you’d resist and use 0x4d instead of nice ‘M’ for Mount Manager

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

In the general case:
http://www.stephencleary.com/ioctl/index.html

-Steve Cleary

Michal Vodicka wrote:

>
Don’t forget to apply Hanlon’s razor: “Never attribute to malice that which can be adequately explained by stupidity.”

Or habit.

In this case the developer probably enjoyed his smart idea and didn’t even imagine poor DDK users who search for unknown IOCTLs. Ask yourself if you’d resist and use 0x4d instead of nice ‘M’ for Mount Manager

It is also possible (although only wild speculation) that the developer
had a Unix background. In Unix, it is common to use an ASCII letter as
a qualifier for ioctl codes.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

FWIW, I am tring to find the owner of the header and update it so that
the hex value shows up near the IOCTL definition so that a grep will
find the value.

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tim Roberts
Sent: Wednesday, July 18, 2007 1:46 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] How can I find the meaning of IoControlCode?

Michal Vodicka wrote:

>
Don’t forget to apply Hanlon’s razor: “Never attribute to malice that
which can be adequately explained by stupidity.”

Or habit.

In this case the developer probably enjoyed his smart idea and didn’t
even imagine poor DDK users who search for unknown IOCTLs. Ask yourself
if you’d resist and use 0x4d instead of nice ‘M’ for Mount Manager

It is also possible (although only wild speculation) that the developer
had a Unix background. In Unix, it is common to use an ASCII letter as
a qualifier for ioctl codes.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

0x4D is ‘M’

–
Maxim Shatskih, Windows DDK MVP
StorageCraft Corporation
xxxxx@storagecraft.com
http://www.storagecraft.com

wrote in message news:xxxxx@ntdev…
> Hi everyone,
>
> I am trying to find the meaning of IoControlCode when I use
NtDeviceIoControlFile call.
> For example, I have the value that came from user space which is ‘4D0008’ and
I know that 4D is a DeviceType.
> But my problem is that I cannot find how to match this 4D to the type of
device. I can see that MSDN lists some of the devices but that is upto 36 so I
could not figure out what 4D means.
>
> Can anyone help me to find the information to get the name of devices when I
have the value for it?
> Or if anyone can at least point to some reference, I will really appreciate
it.
> Thank you very much in advance.
>
> Ilho <><
>

Good idea, thanks.

The hex value should be on the same line. I usually don’t use grep but line based searching in my file manager and in this case I’d seach first for “FILE_DEVICE*4d” (which wouldn’t work in this case anyway because creator didn’t follow this convention, too) and the second would be “#define*4d”.

#define MOUNTDEVCONTROLTYPE ((ULONG) ‘M’) // 0x4D

would be sufficient but

#define FILE_DEVICE_MOUNTDEV 0x4D // ‘M’

would be even better. Who else should follow rules, written or unwritten, than WDK headers?

BTW, if we talk about stupid definitions, this is my favorite one:

#define FILE_DEVICE_USB FILE_DEVICE_UNKNOWN

Best regards,

Michal Vodicka
UPEK, Inc.
[xxxxx@upek.com, http://www.upek.com]

---

From: xxxxx@lists.osr.com[SMTP:xxxxx@lists.osr.com] on behalf of Doron Holan[SMTP:xxxxx@microsoft.com]
Reply To: Windows System Software Devs Interest List
Sent: Wednesday, July 18, 2007 10:56 PM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] How can I find the meaning of IoControlCode?

FWIW, I am tring to find the owner of the header and update it so that
the hex value shows up near the IOCTL definition so that a grep will
find the value.

d

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Tim Roberts
Sent: Wednesday, July 18, 2007 1:46 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] How can I find the meaning of IoControlCode?

Michal Vodicka wrote:
>>
> Don’t forget to apply Hanlon’s razor: “Never attribute to malice that
which can be adequately explained by stupidity.”
>

Or habit.

> In this case the developer probably enjoyed his smart idea and didn’t
even imagine poor DDK users who search for unknown IOCTLs. Ask yourself
if you’d resist and use 0x4d instead of nice ‘M’ for Mount Manager
>

It is also possible (although only wild speculation) that the developer
had a Unix background. In Unix, it is common to use an ASCII letter as
a qualifier for ioctl codes.

–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

---

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

---

Questions? First check the Kernel Driver FAQ at http://www.osronline.com/article.cfm?id=256

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Doron Holan wrote:

FWIW, I am tring to find the owner of the header and update it so that
the hex value shows up near the IOCTL definition so that a grep will
find the value.

Well, while you’re at it…

(from my own gawk script used to create the database of ioctl’s used by the link posted earlier):

device_types[“FILE_DEVICE_DOT4”] = 58; # 0x3a in ($DDK)/inc/ddk/d4drvif.h
device_types[“MOUNTDEVCONTROLTYPE”] = 77; # ‘M’ in ($DDK)/inc/ddk/mountmgr.h
device_types[“VOLSNAPCONTROLTYPE”] = 83; # ‘S’ in ($DDK)/inc/ddk/ntifs.h
device_types[“FILE_DEVICE_VOLUME”] = 86; # ‘V’ in ($DDK)/inc/api/ntddvol.h
device_types[“IOCTL_VOLUME_BASE”] = 86; # ‘V’ in ($SDK)/Include/WinIoctl.h
device_types[“FTTYPE”] = 102; # ‘f’ in ($DDK)/inc/api/ntddft.h
device_types[“FTCONTROLTYPE”] = 103; # ‘g’ in ($DDK)/inc/api/ntddft2.h
device_types[“MOUNTMGRCONTROLTYPE”] = 109; # ‘m’ in ($DDK)/inc/ddk/mountmgr.h
device_types[“FILE_DEVICE_IRCLASS”] = 3936; # 0x0F60 in ($DDK)/inc/ddk/irclass_ioctl.h
device_types[“FILE_DEVICE_USB_SCAN”] = 32768; # 0x8000 in ($DDK)/inc/ddk/usbscan.h
device_types[“0xc0c0”] = 49344; # 0xc0c0 in ($DDK)/inc/ddk/ntddnlb.h

These are all the ones I’m aware of. There’s also an undefined symbolic value FILE_DEVICE_AVIO in winioctl.h/ntddk.h.

-Stephen Cleary

I/O Control Code Decoder
http://www.freewebs.com/four-f/Tools/IoctlDecoder.zip