« Hot Issues from Physicalist Artist Perspective
Subversion of Pause (CoTweet Annoyances) »

Essential and Derived Properties

Sometimes when we point to an activity or a problem in software traces and memory dumps, for example, “not enough space” message, we are asked to dig for certain properties, for example, a file size. Fortunately, some some of them are essential and has to be stored somewhere in various structures, for example:

0: kd> !handle
[...]
02b0: Object: 86f556f8  GrantedAccess: 0013019f Entry: d6e99560
Object: 86f556f8  Type: (89bba730) File
    ObjectHeader: 86f556e0 (old version)
        HandleCount: 1  PointerCount: 1
        Directory Object: 00000000  Name: \Temp\Tmp2523.tmp {HarddiskVolume1}
[…]

0: kd> !fileobj 86f556f8

\Temp\Tmp2523.tmp

Device Object: 0x89b36b18   \Driver\Ftdisk
Vpb: 0x89b55238
Event signalled
Access: Read Write Delete

Flags:  0x1cb042
       Synchronous IO
       Cache Supported
       Modified
       Size Changed
       Temporary File
       Handle Created
       Fast IO Read
       Random Access

FsContext: 0xd6e25da0      FsContext2: 0xd6e25ee8
Private Cache Map: 0x88d44bb8
CurrentByteOffset: 45000
Cache Data:
  Section Object Pointers: 86f518dc
  Shared Cache Map: 86eafca0         File Offset: 45000 in VACB number 1
  Vacb: 89b83f08
  Your data is at: c33c5000

0: kd> dt _FILE_OBJECT 86f556f8
ntdll!_FILE_OBJECT
   +0×000 Type             : 5
   +0×002 Size             : 112
   +0×004 DeviceObject     : 0×89b36b18 _DEVICE_OBJECT
   +0×008 Vpb              : 0×89b55238 _VPB
   +0×00c FsContext        : 0xd6e25da0
   +0×010 FsContext2       : 0xd6e25ee8
   +0×014 SectionObjectPointer : 0×86f518dc _SECTION_OBJECT_POINTERS
   +0×018 PrivateCacheMap  : 0×88d44bb8
   +0×01c FinalStatus      : 0
   +0×020 RelatedFileObject : (null)
   +0×024 LockOperation    : 0 ”
   +0×025 DeletePending    : 0 ”
   +0×026 ReadAccess       : 0×1 ”
   +0×027 WriteAccess      : 0×1 ”
   +0×028 DeleteAccess     : 0×1 ”
   +0×029 SharedRead       : 0 ”
   +0×02a SharedWrite      : 0 ”
   +0×02b SharedDelete     : 0 ”
   +0×02c Flags            : 0×1cb042
   +0×030 FileName         : _UNICODE_STRING “\Temp\Tmp2523.tmp”
   +0×038 CurrentByteOffset : _LARGE_INTEGER 0×45000
   +0×040 Waiters          : 0
   +0×044 Busy             : 0
   +0×048 LastLock         : (null)
   +0×04c Lock             : _KEVENT
   +0×05c Event            : _KEVENT
   +0×06c CompletionContext : (null)

0: kd> dt _SECTION_OBJECT_POINTERS 0×86f518dc
ntdll!_SECTION_OBJECT_POINTERS
   +0×000 DataSectionObject : 0×87056a58
   +0×004 SharedCacheMap   : 0×86eafca0
   +0×008 ImageSectionObject : (null)

0: kd> dt _SHARED_CACHE_MAP 0×86eafca0
nt!_SHARED_CACHE_MAP
   +0×000 NodeTypeCode     : 767
   +0×002 NodeByteSize     : 312
   +0×004 OpenCount        : 2
   +0×008 FileSize         : _LARGE_INTEGER 0×67000
   +0×010 BcbList          : _LIST_ENTRY [ 0×86eafcb0 - 0×86eafcb0 ]
   +0×018 SectionSize      : _LARGE_INTEGER 0×100000
   +0×020 ValidDataLength  : _LARGE_INTEGER 0×67000
   +0×028 ValidDataGoal    : _LARGE_INTEGER 0×67000
   +0×030 InitialVacbs     : [4] 0×89b802c0 _VACB
   +0×040 Vacbs            : 0×86eafcd0  -> 0×89b802c0 _VACB
   +0×044 FileObject       : 0×87095d68 _FILE_OBJECT
   +0×048 ActiveVacb       : 0×89b83f08 _VACB
   +0×04c NeedToZero       : (null)
   +0×050 ActivePage       : 0×40
   +0×054 NeedToZeroPage   : 0
   +0×058 ActiveVacbSpinLock : 0
   +0×05c VacbActiveCount  : 1
   +0×060 DirtyPages       : 0×22
   +0×064 SharedCacheMapLinks : _LIST_ENTRY [ 0×86c8f06c - 0×808acc20 ]
   +0×06c Flags            : 0×1400
   +0×070 Status           : 0
   +0×074 Mbcb             : 0×87f1a348 _MBCB
   +0×078 Section          : 0xd6653930
   +0×07c CreateEvent      : (null)
   +0×080 WaitOnActiveCount : (null)
   +0×084 PagesToWrite     : 0
   +0×088 BeyondLastFlush  : 0
   +0×090 Callbacks        : 0xf719664c _CACHE_MANAGER_CALLBACKS
   +0×094 LazyWriteContext : 0xd6e25da0
   +0×098 PrivateList      : _LIST_ENTRY [ 0×86eafdc4 - 0×88d44c04 ]
   +0×0a0 LogHandle        : (null)
   +0×0a4 FlushToLsnRoutine : (null)
   +0×0a8 DirtyPageThreshold : 0
   +0×0ac LazyWritePassCount : 0×3d7d1b
   +0×0b0 UninitializeEvent : (null)
   +0×0b4 NeedToZeroVacb   : (null)
   +0×0b8 BcbSpinLock      : 0
   +0×0bc Reserved         : (null)
   +0×0c0 Event            : _KEVENT
   +0×0d0 VacbPushLock     : _EX_PUSH_LOCK
   +0×0d8 PrivateCacheMap  : _PRIVATE_CACHE_MAP
   +0×130 WriteBehindWorkQueueEntry : (null)

An example of a derived property could be the difference between the time of logon (winlogon.exe start time) and the start of the currently running instance of a screen saver process.

- Dmitry Vostokov @ DumpAnalysis.org -

This entry was posted on Thursday, October 15th, 2009 at 2:19 pm and is filed under Crash Dump Analysis. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “Essential and Derived Properties”

  1. Scott Says:
    October 16th, 2009 at 3:02 pm

    Actually, in this case SectionSize would be a better representation of the amount of disk space consumed by the file. That shadows the AllocationSize of the file, which is the actual amount of disk space reserved for the file (i.e. it’s a multiple of cluster size).

    FileSize is a shadow of the FileSize for the file, which is the EndOfFile marker. EOF is always <= AllocationSize.

    Also, since the cache manager state is only present for cached files, you might want to get the size information from the FsContext field. File systems set this field to a pointer to a FSRTL_COMMON_FCB_HEADER structure, which is where the size information comes from in the first place.

    -scott

  2. Dmitry Vostokov Says:
    October 16th, 2009 at 3:43 pm

    Thanks for this info! Will try - I have at least 2 more dumps to check the file size :-)

Leave a Reply

You must be logged in to post a comment.