Re[2]: Map drive question

This call stack looks as though it is going to the CSC to retrieve the
information. Are you possibly getting into the call path where the cache
exists on the local system?

Pete


Kernel Drivers
Windows File System and Device Driver Consulting
www.KernelDrivers.com
866.263.9295

------ Original Message ------
From: xxxxx@hotmail.com
To: “Windows File Systems Devs Interest List”
Sent: 1/18/2017 11:52:52 AM
Subject: RE:[ntfsd] Map drive question

>Here is the thread of the Explorer which is enumerating the directory,
>but I can’t tell any special here.
>
>THREAD fffffa800265f060 Cid 0a58.0b9c Teb: 000007fffff52000
>Win32Thread: fffff900c068a010 WAIT: (Executive) KernelMode Alertable
> fffffa8002c6bc10 NotificationEvent
>IRP List:
> fffffa8001b36010: (0006,01f0) Flags: 00060800 Mdl:
>fffffa800283aaf0
>Not impersonating
>DeviceMap fffff8a001a94640
>Owning Process fffffa8001ad2680 Image:
>explorer.exe
>Attached Process N/A Image: N/A
>Wait Start TickCount 4266046 Ticks: 277 (0:00:00:04.328)
>Context Switch Count 572 IdealProcessor: 0
> LargeStack
>UserTime 00:00:00.031
>KernelTime 00:00:00.015
>Win32 Start Address 0x000000007792f6f0
>Stack Init fffff88004546db0 Current fffff880045460d0
>Base fffff88004547000 Limit fffff8800453e000 Call 0
>Priority 11 BasePriority 8 UnusualBoost 0 ForegroundBoost 2 IoPriority
>2 PagePriority 5
>Child-SP RetAddr : Args to Child
> : Call Site
>fffff88004546110 fffff800026bbe42 : 0000000000000000 <br>&gt;fffffa800265f060 fffffa8003f3ec28 fffff8800000000b :
>nt!KiSwapContext+0x7a
>fffff88004546250 fffff800026cd1df : fffff8800364b4a8 <br>&gt;fffff88002612000 0000000000000000 fffffa8003f3e938 :
>nt!KiCommitThreadWait+0x1d2
>fffff880045462e0 fffff800029617ee : 0000000000000100 <br>&gt;fffffa8000000000 0000000000000000 fffff88002612201 :
>nt!KeWaitForSingleObject+0x19f
>fffff88004546380 fffff8000296186b : fffffa8003833501 <br>&gt;fffffa80028409c0 fffffa80038334d0 fffff8a001db9da0 :
>nt!FsRtlCancellableWaitForMultipleObjects+0x5e
>fffff880045463e0 fffff880026931e3 : fffffa8002c6bc10 <br>&gt;fffffa8003833501 fffffa80028409c0 fffffa80038334d0 :
>nt!FsRtlCancellableWaitForSingleObject+0x27
>fffff88004546420 fffff88002680f07 : 0000000000000001 <br>&gt;fffff8a000000000 fffffa8000010000 fffff80000000025 :
>mrxsmb20!MRxSmb2EnumerateDirectoryFromCache+0x2ab
>fffff880045464d0 fffff88003a5d4f3 : 0000000000010000 <br>&gt;0000000000010000 fffff8a00a195b00 fffff8a00a195b00 :
>mrxsmb20!MRxSmb2QueryDirectory+0x1b
>fffff88004546520 fffff8800365dd52 : fffffa80028409c0 <br>&gt;fffffa8001b36001 fffffa8000000000 fffffa8000010000 :
>csc!CscQueryDirectory+0x49f
>fffff88004546630 fffff8800365df9f : fffffa80028409c0 <br>&gt;fffffa8001b36010 fffff8a00a195b00 0000000000000025 :
>rdbss!RxQueryDirectory+0x682
>fffff880045466d0 fffff88003633684 : 0000000000000000 <br>&gt;fffff88004546770 fffffa80028409c0 0000000000000001 :
>rdbss!RxCommonDirectoryControl+0xeb
>fffff88004546730 fffff88003650b44 : fffffa8001b36010 <br>&gt;fffffa800394d00c 00000000c0000016 fffffa8001b36010 :
>rdbss!RxFsdCommonDispatch+0x870
>fffff88004546820 fffff880026202bc : fffffa8001b36010 <br>&gt;00000000c0000016 fffffa8001b36170 fffffa800394d040 :
>rdbss!RxFsdDispatch+0x224
>fffff88004546890 fffff880019e6271 : fffffa8003ebf010 <br>&gt;fffffa8001b36010 fffffa8003e9f780 fffff8a0001269e0 :
>mrxsmb!MRxSmbFsdDispatch+0xc0
>fffff880045468d0 fffff880019e4138 : fffff8a0001269e0 <br>&gt;fffffa8003ebf010 0000000000000001 0000000000000000 :
>mup!MupiCallUncProvider+0x161
>fffff88004546940 fffff880019e4b0d : fffffa8001b36010 <br>&gt;fffff880019e2110 fffffa8002678890 0000000000000000 :
>mup!MupStateMachine+0x128
>fffff88004546990 fffff88001038bcf : fffffa8001b361b8 <br>&gt;fffffa8003ebf010 fffff88004546a20 fffffa80027e4b60 :
>mup!MupFsdIrpPassThrough+0x12d
>fffff880045469e0 fffff880010376df : fffffa8002801640 <br>&gt;fffffa8002678890 fffffa8002801600 fffffa8001b36010 :
>fltmgr!FltpLegacyProcessingAfterPreCallbacksCompleted+0x24f
>fffff88004546a70 fffff800029b3b2a : fffffa8001b36010 <br>&gt;fffff88004546ca0 000000000a3ae368 fffff88004546bc8 :
>fltmgr!FltpDispatch+0xcf
>fffff88004546ad0 fffff800026c5693 : fffffa800265f060 <br>&gt;fffff88004546ca0 000000000a3ae368 fffff88004546bc8 :
>nt!NtQueryDirectoryFile+0x1aa
>fffff88004546bb0 000000007795c08a : 0000000000000000 <br>&gt;0000000000000000 0000000000000000 0000000000000000 :
>nt!KiSystemServiceCopyEnd+0x13 (TrapFrame @ fffff88004546c20)<br>&gt;000000000a3ae348 0000000000000000 : 0000000000000000
>0000000000000000 0000000000000000 00000000`00000000 : 0x7795c08a
>
>
>
>—
>NTFSD is sponsored by OSR
>
>
>MONTHLY seminars on crash dump analysis, WDF, Windows internals and
>software drivers!
>Details at http:
>
>To unsubscribe, visit the List Server section of OSR Online at
>http:</http:></http:>