none
WriteFile ReadFile Explanation RRS feed

  • Question

  • Hi,

    MSDN explanation for the WriteFile/ReadFile is not sufficient.

    So I want to know is there any documentation available for WriteFile/ReadFile complete flow...???

    How IoManager manages the WriteFile/ReadFile Input Buffer of the application for the driver and back to the application in the response path...???

    Is there any difference between the WriteFile and ReadFile driver stack..?? Does IoManager behaves differently in these cases..??

    What are the drivers involved in this case and what's the driver stack here..??

    Thanks,

    Sudhanshu


    • Moved by Baron Bi Wednesday, March 21, 2018 9:00 AM More related to driver development
    Sunday, March 18, 2018 5:57 AM

Answers

  • Unfortunately this is the wrong place to ask about this and the documentation that you mention is only meant for user mode code, so it wouldn't go into the detail that you want. The place that you would need to look for documentation would be the WDK documentation and the best forum to ask about this would be the Windows Hardware WDK and Driver Development forum.

    This is a signature. Any samples given are not meant to have error checking or show best practices. They are meant to just illustrate a point. I may also give inefficient code or introduce some problems to discourage copy/paste coding. This is because the major point of my posts is to aid in the learning process.

    Sunday, March 18, 2018 6:28 AM
  • Certainly you would have to deal with IRPs
    https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/handling-irps
    But for Windows has a somewhat 'far-reaching' concept of a 'file'
    https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/end-user-i-o-requests-and-file-objects
    I think, you would also need to give some more details.
    E.g. doing a 'ReadFile' on a HID device might involve a different driver stack than doing the same regarding a file on a hard-disc.
     
    With kind regards
     
    Monday, March 19, 2018 7:17 AM
  • What you want is the Windows Internals book. It covers the internal operation of Windows, including the I/O subsystem

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Wednesday, March 21, 2018 6:01 PM
    Moderator

All replies

  • Unfortunately this is the wrong place to ask about this and the documentation that you mention is only meant for user mode code, so it wouldn't go into the detail that you want. The place that you would need to look for documentation would be the WDK documentation and the best forum to ask about this would be the Windows Hardware WDK and Driver Development forum.

    This is a signature. Any samples given are not meant to have error checking or show best practices. They are meant to just illustrate a point. I may also give inefficient code or introduce some problems to discourage copy/paste coding. This is because the major point of my posts is to aid in the learning process.

    Sunday, March 18, 2018 6:28 AM
  • Certainly you would have to deal with IRPs
    https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/handling-irps
    But for Windows has a somewhat 'far-reaching' concept of a 'file'
    https://docs.microsoft.com/en-us/windows-hardware/drivers/kernel/end-user-i-o-requests-and-file-objects
    I think, you would also need to give some more details.
    E.g. doing a 'ReadFile' on a HID device might involve a different driver stack than doing the same regarding a file on a hard-disc.
     
    With kind regards
     
    Monday, March 19, 2018 7:17 AM
  • What you want is the Windows Internals book. It covers the internal operation of Windows, including the I/O subsystem

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Wednesday, March 21, 2018 6:01 PM
    Moderator
  • What you want is the Windows Internals book. It covers the internal operation of Windows, including the I/O subsystem

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Good Morning Brian,

    I quote your reply because in some a way I'd like to have the Windows internal books. Surely it's not possible ... surely they are proprietary.

    However, let me pose a question at system level, avoiding details at developed software level.

    I work in the forensic field as court consultant and my intrest are addressed to realize images of suspect drives.

    Sometimes these drives are USB sticks or SATA Hard Disks NTFS formatted.

    The goal is preserve the suspect drives by accidental writes operations using write blocking metodologies.

    Can you confirm please that the content of a disk may be modified by simply connecting it to a computer ?

    In particular:

    1) can happen that the NTFS file system may attempt to commit or rollback unfinished transactions, and/or change flags on the volume to mark it as “in use” ?

    2) can happen that the NTFS file system may create hidden folders for the recycle bin or saved hardware configuration ?

    Can you give me, if possible, a list of other inadvertent modifications when a NTFS drive is plugged into a PC ?

    I hope to hear you soon.

    Thanks very much in advance.

    Best Regards.

    Monday, June 4, 2018 9:34 PM
  • Here are the Windows Internals books on Amazon. I wrote a large chunk of the updates for the 6th edition.

    Yes, plugging a drive into a Windows system will make modifications to the drive, specifically the internal NTFS logs and, as you point out, any rollbacks/redos needed to make the file system consistent. This is all part of volume maintenance.

    Yes, a recycle bin may also be created.

    There are a variety of background volume maintenance tasks the system undertakes to ensure the volume is, and remains, healthy. I cannot list all the things that might change because it is very OS version specific (not just between major versions like 7 and 8, but also between Win10 releases).

    If you want to image a drive that you want to plug into a Windows system, then you would need a special disk filter driver that hid whatever drive was plugged into a specific port from the file system, and then you could perform sector I/O to the drive.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    • Proposed as answer by jawed85 Monday, June 4, 2018 10:19 PM
    Monday, June 4, 2018 9:56 PM
    Moderator
  • Here are the Windows Internals books on Amazon. I wrote a large chunk of the updates for the 6th edition.

    Yes, plugging a drive into a Windows system will make modifications to the drive, specifically the internal NTFS logs and, as you point out, any rollbacks/redos needed to make the file system consistent. This is all part of volume maintenance.

    Yes, a recycle bin may also be created.

    There are a variety of background volume maintenance tasks the system undertakes to ensure the volume is, and remains, healthy. I cannot list all the things that might change because it is very OS version specific (not just between major versions like 7 and 8, but also between Win10 releases).

    If you want to image a drive that you want to plug into a Windows system, then you would need a special disk filter driver that hid whatever drive was plugged into a specific port from the file system, and then you could perform sector I/O to the drive.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Hello Brian,
    thanks very much for your reply.
    What you wrote is very interesting.
    I did not know that the Windows Internals Books are of public domain.
    They are an important reference for my work as court consultant, so I’ll buy them on Amazon and I’ll study them.
    They are what I was looking for and surely I could  have answer before to my questions.

    Please, let me ask a question.
    My apologize in advance if I'll mention another Operating system.
    You spoken about a “a special disk filter driver that hits whatever drive was plugged into a specific port from the file system”.

    Now, the acquisition phase of a suspect driver is a very delicate step.
    Can you tell me what you mean for “special disk filter” ?

    Surely you know about the write blockers that are used to acquire the image of a driver, but I’m not sure that they work properly, hitting at 100% whatever drive was plugged into a specific port from the file system.
    To be sure, I use Unix (not Linux) OS'es because Unix is able to preserve the drive attached from any filesystem drive operations.

    Maybe have you different solutions ?
    Is it maybe possible use Windows to do the acquisition ? In which a way ?
    or what else for special disk filter

    I hope to hear you soon.

    Thanks in advance.

    Best Regards.

    Wednesday, June 6, 2018 4:31 PM
  • Hello Brian,

    for informations about forensic seminars  at AZIUS (in the section cyber forensic investigators), I'll contact you directly at www.azius.com.

    Thanks in advance.

    Wednesday, June 6, 2018 5:45 PM
  • Such a filter driver would have to be written; it doesn't exist in Windows

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    • Proposed as answer by jawed85 Wednesday, June 6, 2018 6:36 PM
    Wednesday, June 6, 2018 6:10 PM
    Moderator
  • Here are the Windows Internals books on Amazon. I wrote a large chunk of the updates for the 6th edition.

    Yes, plugging a drive into a Windows system will make modifications to the drive, specifically the internal NTFS logs and, as you point out, any rollbacks/redos needed to make the file system consistent. This is all part of volume maintenance.

    Yes, a recycle bin may also be created.

    There are a variety of background volume maintenance tasks the system undertakes to ensure the volume is, and remains, healthy. I cannot list all the things that might change because it is very OS version specific (not just between major versions like 7 and 8, but also between Win10 releases).

    If you want to image a drive that you want to plug into a Windows system, then you would need a special disk filter driver that hid whatever drive was plugged into a specific port from the file system, and then you could perform sector I/O to the drive.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Hello Brian,
    please, can you tell me if the timestamps of the Microsoft NTFS driver follows the POSIX standard ?

    More. As you confirmed, plugging a drive into a Windows system will make modifications to the drive, due to a variety of background volume maintenance tasks that the system undertakes to ensure the volume is, and remains, healthy.
    Please, can you tell me if, plugging a drive into a Windows system, this mainenance activity could have infuence on the timestamps of the files, changing them ?

    Note: I'm waiting for the Windows Internals Books I've buyed on Amazon. I hope to find there a reply to questions I asked you so to avoid to continuosly disturbing you.

    Have you a nice day.

    Thanks in advance.

    Sunday, June 10, 2018 9:58 AM
  • The timestamps are in 100-nanosecond units since the founding of the Gregorian calendar (January 1, 1601), and by default not all timestamps are updated unless a Group Policy/registry setting is changed.

    I'm on vacation so I don't have access to all my materials. The NTFS transaction log is for metadata only, so it may be possible for an undo/redo to modify the timestamps, but I don't remember for certain. If the Windows transaction manager is being used on a file's contents, an abort or commit could certainly change timestamps.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Monday, June 11, 2018 8:45 PM
    Moderator
  • Hello Brian,

    I apologize with you and the forum people if I post here my question ... surely you are free to move it on the correct forum. Again my apologize for this.

    I've consulting without success the Windows Internals Book, so I've decided to write you.

    I've wiped a 4 GB usb stick using the (freebsd) command dd: dd if=/dev/zero of=/dev/da0 I've unplugged the stick from my freebsd workstation and plugged it on a Windows 7 PC. I've FAT formatted it on the Windows machine.

    I've created and saved on the Desktop one file: "one.txt". Than I've saved it on the usb stick using the “Drag-and-Drop” feature of windows explorer. I've than created a second file, "two.txt" and I've directly saved it on the usb stick using the notepad  “Save As” option. QUESTION: I've only saved two files on the stick ....

    Analyzing the usb stick with a forensic tool it seems that the usb stick contains three files. The first one I’ve “Saved As …” appears copied, deleted and copied again.

    Can you help me please to understand.

    Is it common for Windows OSes this behavior ?

     

    Thanks very much in advance.

    Best Regards.

    Thursday, November 8, 2018 5:35 PM
  • Historically, Explorer has always been a mess. I haven't looked through the sources since its last big re-write, so I don't have any knowledge into what it is doing, but given its history I wouldn't be surprised if it acts as you describe.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    Thursday, November 8, 2018 5:45 PM
    Moderator
  • Hello Brian,

    your reply is interesting but leads to other questions.

    So, let me please to express some perplexities about the development way used by Microsoft in the Windows OSes world that could lead to wrong conclusions a forensic analisys.

    The aim is to clarify the meaning of the creation date of a file and more in general the way the timestamps updating of a file works in the NTFS filesystem.

    Few mounth ago, I've contacted you asking what happens when we create, open, save a file.

    As reply you notify me that there are a variety of background volume maintenance tasks the system undertakes to ensure the volume is, and remains, healthy.
    Several things might change and this is very OS version specific (not just between major versions like 7 and 8, but also between Win10 releases).

    More: you added that by default not all timestamps are updated unless a Group Policy/registry setting is changed.

    So my questions:

    1- What meaning it should be given at the "Creation data" in Windows 7 and in Windows 10 ? Are they the same ? Or different ?
    More: could it happen that the updating timestamps are different from Windows 7 Home Edition and Windows 7 Professional for example ?

    2 - what happen when I create a file on my Windows PC and then copy it on a USB stick ? Is it true that the creation date is that of the copying on the USB  stick.

    Are these topics treated in the Windows Internals Book ?

    Thanks very much in advance.

     
    Sunday, November 11, 2018 11:01 PM
  • 1. I'm not aware of any differences between how Win7 and Win10 handle the creation time; I'd have to spend some time digging into them to be sure, though. Different editions (Pro vs Home) of the same version will be identical.

    2. I believe that it depends on the program that you're using to perform the copy. For example, RoboCopy allows for keeping the original dates, and Explorer probably does the wrong thing. So, it isn't so much an operating system thing as which application/APIs were used to perform the copy. Microsoft strives for consistency, but they don't always achieve it. Therefore, I suggest you modify your paradigm and don't think of the operating system as a monolithic entity, and instead look at the individual programs and their behavior. 

    I haven't had a chance to look through the new Internals book. This stuff was covered, at least to some degree, in the old Internals books.

     -Brian


    Azius Developer Training www.azius.com Windows device driver, internals, security, & forensics training and consulting. Blog at www.azius.com/blog

    • Proposed as answer by jawed85 Tuesday, November 13, 2018 3:04 PM
    Monday, November 12, 2018 7:56 PM
    Moderator