Hi all,
how can I find out where the NTFS bitmap file resides ?
From my driver created system thread,
to issue FSCTL_GET_RETRIEVAL_POINTERS then, I open a file handle to
L"\??\:\$Bitmap<file:>".
This fails with STATUS_ACCESS_DENIED, no matter what combinations of
DesiredAccess,FileAttributes,ShareAccess,FILE_OPEN,CreateOptions
I pass to ZwCreateFile.
Do defrag products ever move this file (and how if above fails) and can it consist of more than one extents ?
Regards
Else
________________________________
Utimaco Safeware AG
A member of the Sophos Group
Hohemarkstr. 22
61440 Oberursel
Germany
Registergericht Bad Homburg HRB 5302
WEEE-Reg.Nr.: DE39805015
Sitz: Oberursel
Vorstandsmitglieder: Steve Munford (Vorsitzender), Jeff Babka, Malte Pollmann, Olaf Siemens
Aufsichtsratsvorsitzender: Dr. Peter Lammer</file:>
I’m pretty sure NTFS explicitly protects this file from being opened. If you
want to inspect it you’d probably have to dismount the volume and walk the
structures yourself (or use an existing tool, I like the one from Runtime:
http://www.runtime.org/diskexplorer.htm - no affiliation)
-scott
–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com
“Else Kluger” wrote in message news:xxxxx@ntdev…
Hi all,
how can I find out where the NTFS bitmap file resides ?
From my driver created system thread,
to issue FSCTL_GET_RETRIEVAL_POINTERS then, I open a file handle to
L"\??\:\$Bitmap".
This fails with STATUS_ACCESS_DENIED, no matter what combinations of
DesiredAccess,FileAttributes,ShareAccess,FILE_OPEN,CreateOptions
I pass to ZwCreateFile.
Do defrag products ever move this file (and how if above fails) and can it
consist of more than one extents ?
Regards
Else
Utimaco Safeware AG
A member of the Sophos Group
Hohemarkstr. 22
61440 Oberursel
Germany
Registergericht Bad Homburg HRB 5302
WEEE-Reg.Nr.: DE39805015
Sitz: Oberursel
Vorstandsmitglieder: Steve Munford (Vorsitzender), Jeff Babka, Malte
Pollmann, Olaf Siemens
Aufsichtsratsvorsitzender: Dr. Peter Lammer
Hi,
thanks Scott, we have some code in use to do what you suggest. I wanted to avoid using it in my driver.
As regards possible future undocumented NTFS changes it’s error prone.
And it’s gigantic and superfluous overhead for my purpose (just open to FSCTL_GET_RETRIEVAL_POINTERS),
which I thought could be sufficed by using documented APIs.
Regards
Else
-----Original Message-----
From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Scott Noone
Sent: Freitag, 19. M?rz 2010 15:02
To: Windows System Software Devs Interest List
Subject: Re:[ntdev] NTFS Metadata files
I’m pretty sure NTFS explicitly protects this file from being opened. If you
want to inspect it you’d probably have to dismount the volume and walk the
structures yourself (or use an existing tool, I like the one from Runtime:
http://www.runtime.org/diskexplorer.htm - no affiliation)
-scott
–
Scott Noone
Consulting Associate
OSR Open Systems Resources, Inc.
http://www.osronline.com
“Else Kluger” wrote in message news:xxxxx@ntdev…
Hi all,
how can I find out where the NTFS bitmap file resides ?
From my driver created system thread,
to issue FSCTL_GET_RETRIEVAL_POINTERS then, I open a file handle to
L"\??\:\$Bitmap".
This fails with STATUS_ACCESS_DENIED, no matter what combinations of
DesiredAccess,FileAttributes,ShareAccess,FILE_OPEN,CreateOptions
I pass to ZwCreateFile.
Do defrag products ever move this file (and how if above fails) and can it
consist of more than one extents ?
Regards
Else
Utimaco Safeware AG
A member of the Sophos Group
Hohemarkstr. 22
61440 Oberursel
Germany
Registergericht Bad Homburg HRB 5302
WEEE-Reg.Nr.: DE39805015
Sitz: Oberursel
Vorstandsmitglieder: Steve Munford (Vorsitzender), Jeff Babka, Malte
Pollmann, Olaf Siemens
Aufsichtsratsvorsitzender: Dr. Peter Lammer
—
NTDEV is sponsored by OSR
For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars
To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer
Utimaco Safeware AG
A member of the Sophos Group
Hohemarkstr. 22
61440 Oberursel
Germany
Registergericht Bad Homburg HRB 5302
WEEE-Reg.Nr.: DE39805015
Sitz: Oberursel
Vorstandsmitglieder: Steve Munford (Vorsitzender), Jeff Babka, Malte Pollmann, Olaf Siemens
Aufsichtsratsvorsitzender: Dr. Peter Lammer