dev.nlited.com

| Contact |  Home | 
>>

Normal Log

2018-07-11 15:43:28 chip Page 2198 📢 PUBLIC

"Normal" log of using Word to open a file on a network share and saving it. The CREATE, CLEANUP, and CLOSE operations have been omitted for readability.

This is my summary of the actions, beginning just after the WRITE operations at 2:47:47.2216342 PM.

  1. Set the LastWrite time on the temporary file.
  2. Query the security information from the original file.
  3. Copy the security information to the temporary file.
  4. Set the temporary file's creation time to match the original file.
  5. Query the volume capabilities.
  6. Copy the security information from the original to the temporary file.
  7. Copy the original ObjectID to the temporary file.
  8. Rename the original file using SET_INFORMATION:Rename.
  9. Rename the temporary file using SET_INFORMATION:Rename.
  10. Post a USN write record to the temporary file using FSCTL_WRITE_USN_CLOSE_RECORD.
  11. Update the temporary file's Group and DACL security descriptor.
  12. Delete the original file.

Log VS17: "Time of Day","Operation","Path","Result","Detail" "2:47:20.8311835 PM","IRP_MJ_SET_INFORMATION","\\VS17\PIPE\srvsvc","SUCCESS","Type: SetPipeInformation" "2:47:20.8312092 PM","IRP_MJ_WRITE","\\VS17\PIPE\srvsvc","SUCCESS","Offset: 0, Length: 160, Priority: Normal" "2:47:20.8331706 PM","IRP_MJ_READ","\\VS17\PIPE\srvsvc","SUCCESS","Offset: 0, Length: 116, Priority: Normal" "2:47:20.8351487 PM","IRP_MJ_FILE_SYSTEM_CONTROL","\\VS17\PIPE\srvsvc","SUCCESS","Control: FSCTL_PIPE_TRANSCEIVE, WriteLength: 1,024, ReadLength: 112" "2:47:20.9545218 PM","IRP_MJ_SET_INFORMATION","\\VS17\PIPE\wkssvc","SUCCESS","Type: SetPipeInformation" "2:47:20.9545708 PM","IRP_MJ_WRITE","\\VS17\PIPE\wkssvc","SUCCESS","Offset: 0, Length: 160, Priority: Normal" "2:47:20.9564410 PM","IRP_MJ_READ","\\VS17\PIPE\wkssvc","SUCCESS","Offset: 0, Length: 116, Priority: Normal" "2:47:20.9584128 PM","IRP_MJ_FILE_SYSTEM_CONTROL","\\VS17\PIPE\wkssvc","SUCCESS","Control: FSCTL_PIPE_TRANSCEIVE, WriteLength: 1,024, ReadLength: 76" "2:47:20.9664230 PM","IRP_MJ_SET_INFORMATION","\\VS17\PIPE\srvsvc","SUCCESS","Type: SetPipeInformation" "2:47:20.9664495 PM","IRP_MJ_WRITE","\\VS17\PIPE\srvsvc","SUCCESS","Offset: 0, Length: 160, Priority: Normal" "2:47:20.9684114 PM","IRP_MJ_READ","\\VS17\PIPE\srvsvc","SUCCESS","Offset: 0, Length: 116, Priority: Normal" "2:47:20.9704242 PM","IRP_MJ_FILE_SYSTEM_CONTROL","\\VS17\PIPE\srvsvc","SUCCESS","Control: FSCTL_PIPE_TRANSCEIVE, WriteLength: 1,024, ReadLength: 76" "2:47:21.1932680 PM","IRP_MJ_DIRECTORY_CONTROL","\\vs17\Test\nurl","SUCCESS","Type: QueryDirectory, Filter: nurl, 2: nurl" "2:47:21.1990876 PM","IRP_MJ_DIRECTORY_CONTROL","\\vs17\Test\nurl\Test.txt","SUCCESS","Type: QueryDirectory, Filter: Test.txt, 2: Test.txt" "2:47:21.2113025 PM","IRP_MJ_DIRECTORY_CONTROL","\\vs17\Test\nurl\Test.txt","SUCCESS","Type: QueryDirectory, Filter: Test.txt, 2: Test.txt" "2:47:21.2862809 PM","IRP_MJ_READ","\\vs17\Test\nurl\Test.txt","SUCCESS","Offset: 0, Length: 24, Priority: Normal" "2:47:21.2924317 PM","IRP_MJ_QUERY_VOLUME_INFORMATION","\\vs17\Test\nurl\Test.txt","SUCCESS","Type: QueryDeviceInformationVolume, DeviceType: Disk, Characteristics: Remote" "2:47:21.3065682 PM","IRP_MJ_QUERY_VOLUME_INFORMATION","\\vs17\Test\nurl\Test.txt","SUCCESS","Type: QueryDeviceInformationVolume, DeviceType: Disk, Characteristics: Remote" "2:47:21.3065824 PM","IRP_MJ_FILE_SYSTEM_CONTROL","\\vs17\Test\nurl\Test.txt","SUCCESS","Control: IOCTL_LMR_DISABLE_LOCAL_BUFFERING" "2:47:21.3066029 PM","FASTIO_ACQUIRE_FOR_CC_FLUSH","\\vs17\Test\nurl\Test.txt","SUCCESS","" "2:47:21.3066286 PM","FASTIO_RELEASE_FOR_CC_FLUSH","\\vs17\Test\nurl\Test.txt","SUCCESS","" "2:47:21.3083764 PM","IRP_MJ_FILE_SYSTEM_CONTROL","\\vs17\Test\nurl\Test.txt","SUCCESS","Control: FSCTL_LMR_GET_HINT_SIZE" "2:47:21.3118375 PM","IRP_MJ_QUERY_VOLUME_INFORMATION","\\vs17\Test\nurl\Test.txt","SUCCESS","Type: QueryAttributeInformationVolume, FileSystemAttributes: Case Preserved, Case Sensitive, Unicode, ACLs, Compression, Named Streams, EFS, Object IDs, Reparse Points, Sparse Files, Quotas, 0xc00600, MaximumComponentNameLength: 255, FileSystemName: NTFS" "2:47:21.3144860 PM","IRP_MJ_QUERY_SECURITY","\\vs17\Test\nurl\Test.txt","SUCCESS","Information: Attribute" "2:47:21.3145322 PM","IRP_MJ_QUERY_VOLUME_INFORMATION","\\vs17\Test\nurl\Test.txt","SUCCESS","Type: QueryDeviceInformationVolume, DeviceType: Disk, Characteristics: Remote" "2:47:21.3146243 PM","IRP_MJ_QUERY_VOLUME_INFORMATION","\\vs17\Test\nurl\Test.txt","SUCCESS","Type: QueryDeviceInformationVolume, DeviceType: Disk, Characteristics: Remote" "2:47:21.3146468 PM","IRP_MJ_QUERY_VOLUME_INFORMATION","\\vs17\Test\nurl\Test.txt","SUCCESS","Type: QueryDeviceInformationVolume, DeviceType: Disk, Characteristics: Remote" "2:47:21.3149759 PM","IRP_MJ_FILE_SYSTEM_CONTROL","\\vs17\Test\nurl\Test.txt","DEVICE FEATURE NOT SUPPORTED","Control: FSCTL_OFFLOAD_READ, Offset: 0, Length: 2,097,152" "2:47:21.3184319 PM","IRP_MJ_SET_INFORMATION","\\vs17\Test\nurl\Test.txt","SUCCESS","Type: SetPositionInformationFile, Position: 0" "2:47:21.3185871 PM","IRP_MJ_READ","\\vs17\Test\nurl\Test.txt","SUCCESS","Offset: 0, Length: 262,144, Priority: Normal" "2:47:21.3187807 PM","IRP_MJ_READ","\\vs17\Test\nurl\Test.txt","SUCCESS","Offset: 262,144, Length: 262,144, Priority: Normal" "2:47:21.3190351 PM","IRP_MJ_READ","\\vs17\Test\nurl\Test.txt","SUCCESS","Offset: 524,288, Length: 262,144, Priority: Normal" "2:47:21.3193508 PM","IRP_MJ_READ","\\vs17\Test\nurl\Test.txt","SUCCESS","Offset: 786,432, Length: 262,144, Priority: Normal" "2:47:21.3257717 PM","IRP_MJ_READ","\\vs17\Test\nurl\Test.txt","SUCCESS","Offset: 1,048,576, Length: 216,796, Priority: Normal" "2:47:21.3365451 PM","IRP_MJ_READ","\\vs17\Test\nurl\Test.txt","SUCCESS","Offset: 0, Length: 24, Priority: Normal" "2:47:21.5171816 PM","IRP_MJ_QUERY_VOLUME_INFORMATION","\\vs17\Test\nurl\~$Test.txt","SUCCESS","Type: QueryDeviceInformationVolume, DeviceType: Disk, Characteristics: Remote" "2:47:21.5172507 PM","IRP_MJ_WRITE","\\vs17\Test\nurl\~$Test.txt","SUCCESS","Offset: 0, Length: 54, Priority: Normal" "2:47:21.5189831 PM","IRP_MJ_WRITE","\\vs17\Test\nurl\~$Test.txt","SUCCESS","Offset: 54, Length: 108, Priority: Normal" "2:47:25.6846056 PM","IRP_MJ_DIRECTORY_CONTROL","\\vs17\Test\nurl","SUCCESS","Type: QueryDirectory, Filter: nurl, 2: nurl" "2:47:25.6887720 PM","IRP_MJ_DIRECTORY_CONTROL","\\vs17\Test\nurl\Test.txt","SUCCESS","Type: QueryDirectory, Filter: Test.txt, 2: Test.txt" "2:47:25.8852386 PM","IRP_MJ_FILE_SYSTEM_CONTROL","\\vs17\Test\nurl\Test.txt","SUCCESS","Control: FSCTL_CREATE_OR_GET_OBJECT_ID" "2:47:25.8869295 PM","IRP_MJ_QUERY_VOLUME_INFORMATION","\\vs17\Test\nurl\Test.txt","SUCCESS","Type: QueryObjectIdInformationVolume, ObjectId: 04E9DC7FB9F2B94896E02B2A70C2B322" "2:47:25.8971237 PM","IRP_MJ_FILE_SYSTEM_CONTROL","\\vs17\Test\nurl","NOT REPARSE POINT","Control: FSCTL_GET_REPARSE_POINT" "2:47:25.9011047 PM","IRP_MJ_QUERY_VOLUME_INFORMATION","\\vs17\Test\nurl","SUCCESS","Type: QueryDeviceInformationVolume, DeviceType: Disk, Characteristics: Remote" "2:47:26.6574479 PM","IRP_MJ_FILE_SYSTEM_CONTROL","\\vs17\Test\nurl\Test.txt","SUCCESS","Control: FSCTL_CREATE_OR_GET_OBJECT_ID" "2:47:26.6632443 PM","IRP_MJ_QUERY_VOLUME_INFORMATION","\\vs17\Test\nurl\Test.txt","SUCCESS","Type: QueryObjectIdInformationVolume, ObjectId: 04E9DC7FB9F2B94896E02B2A70C2B322" "2:47:26.6916358 PM","IRP_MJ_FILE_SYSTEM_CONTROL","\\vs17\Test\nurl","NOT REPARSE POINT","Control: FSCTL_GET_REPARSE_POINT" "2:47:26.6971619 PM","IRP_MJ_QUERY_VOLUME_INFORMATION","\\vs17\Test\nurl","SUCCESS","Type: QueryDeviceInformationVolume, DeviceType: Disk, Characteristics: Remote" "2:47:46.0778542 PM","IRP_MJ_QUERY_VOLUME_INFORMATION","\\vs17\Test\","SUCCESS","Type: QueryAttributeInformationVolume, FileSystemAttributes: Case Preserved, Case Sensitive, Unicode, ACLs, Compression, Named Streams, EFS, Object IDs, Reparse Points, Sparse Files, Quotas, 0xc00600, MaximumComponentNameLength: 255, FileSystemName: NTFS" "2:47:46.2114977 PM","IRP_MJ_QUERY_VOLUME_INFORMATION","\\vs17\Test\nurl\3891FA2.tmp","SUCCESS","Type: QueryDeviceInformationVolume, DeviceType: Disk, Characteristics: Remote" "2:47:46.2154503 PM","IRP_MJ_QUERY_VOLUME_INFORMATION","\\vs17\Test\nurl\3891FA2.tmp","SUCCESS","Type: QueryDeviceInformationVolume, DeviceType: Disk, Characteristics: Remote" "2:47:46.2154653 PM","IRP_MJ_FILE_SYSTEM_CONTROL","\\vs17\Test\nurl\3891FA2.tmp","SUCCESS","Control: IOCTL_LMR_DISABLE_LOCAL_BUFFERING" "2:47:46.2154878 PM","IRP_MJ_QUERY_VOLUME_INFORMATION","\\vs17\Test\nurl\3891FA2.tmp","SUCCESS","Type: QueryAttributeInformationVolume, FileSystemAttributes: Case Preserved, Case Sensitive, Unicode, ACLs, Compression, Named Streams, EFS, Object IDs, Reparse Points, Sparse Files, Quotas, 0xc00600, MaximumComponentNameLength: 255, FileSystemName: NTFS" "2:47:46.2155898 PM","IRP_MJ_QUERY_VOLUME_INFORMATION","\\vs17\Test\nurl\3891FA2.tmp","SUCCESS","Type: QueryDeviceInformationVolume, DeviceType: Disk, Characteristics: Remote" "2:47:46.2156008 PM","IRP_MJ_SET_INFORMATION","\\vs17\Test\nurl\3891FA2.tmp","SUCCESS","Type: SetEndOfFileInformationFile, EndOfFile: 1,265,393" "2:47:46.2174849 PM","IRP_MJ_QUERY_VOLUME_INFORMATION","\\vs17\Test\nurl\3891FA2.tmp","SUCCESS","Type: QueryDeviceInformationVolume, DeviceType: Disk, Characteristics: Remote" "2:47:46.2175264 PM","IRP_MJ_QUERY_VOLUME_INFORMATION","\\vs17\Test\nurl\3891FA2.tmp","SUCCESS","Type: QueryDeviceInformationVolume, DeviceType: Disk, Characteristics: Remote" "2:47:46.2181889 PM","IRP_MJ_WRITE","\\vs17\Test\nurl\3891FA2.tmp","SUCCESS","Offset: 0, Length: 262,144, Priority: Normal" "2:47:46.2240883 PM","IRP_MJ_WRITE","\\vs17\Test\nurl\3891FA2.tmp","SUCCESS","Offset: 262,144, Length: 262,144, Priority: Normal" "2:47:46.2250452 PM","IRP_MJ_WRITE","\\vs17\Test\nurl\3891FA2.tmp","SUCCESS","Offset: 524,288, Length: 262,144, Priority: Normal" "2:47:46.2250712 PM","IRP_MJ_WRITE","\\vs17\Test\nurl\3891FA2.tmp","SUCCESS","Offset: 786,432, Length: 262,144, Priority: Normal" "2:47:46.2250882 PM","IRP_MJ_WRITE","\\vs17\Test\nurl\3891FA2.tmp","SUCCESS","Offset: 1,048,576, Length: 216,817, Priority: Normal" "2:47:47.2216342 PM","IRP_MJ_SET_INFORMATION","\\vs17\Test\nurl\3891FA2.tmp","SUCCESS","Type: SetBasicInformationFile, CreationTime: 0, LastAccessTime: 0, LastWriteTime: 7/2/2018 2:47:46 PM, ChangeTime: 7/2/2018 2:47:46 PM, FileAttributes: n/a" "2:47:47.3192346 PM","IRP_MJ_QUERY_SECURITY","\\vs17\Test\nurl\Test.txt","SUCCESS","Information: Owner, Group, DACL" "2:47:47.3312102 PM","IRP_MJ_SET_SECURITY","\\vs17\Test\nurl\3891FA2.tmp","SUCCESS","Information: Owner, Group, DACL" "2:47:47.5434034 PM","IRP_MJ_SET_INFORMATION","\\vs17\Test\nurl\3891FA2.tmp","SUCCESS","Type: SetBasicInformationFile, CreationTime: 5/23/2018 1:53:59 PM, LastAccessTime: 0, LastWriteTime: 0, ChangeTime: 0, FileAttributes: A" "2:47:47.5453013 PM","IRP_MJ_QUERY_VOLUME_INFORMATION","\\vs17\Test\nurl\3891FA2.tmp","SUCCESS","Type: QueryAttributeInformationVolume, FileSystemAttributes: Case Preserved, Case Sensitive, Unicode, ACLs, Compression, Named Streams, EFS, Object IDs, Reparse Points, Sparse Files, Quotas, 0xc00600, MaximumComponentNameLength: 255, FileSystemName: NTFS" "2:47:47.5453890 PM","IRP_MJ_QUERY_SECURITY","\\vs17\Test\nurl\Test.txt","SUCCESS","Information: Owner, DACL, Label, Attribute" "2:47:47.5469325 PM","IRP_MJ_QUERY_SECURITY","\\vs17\Test\nurl\3891FA2.tmp","SUCCESS","Information: Attribute" "2:47:47.5489817 PM","IRP_MJ_QUERY_SECURITY","\\vs17\Test\nurl\3891FA2.tmp","SUCCESS","Information: Owner" "2:47:47.5593110 PM","IRP_MJ_QUERY_SECURITY","\\vs17\Test\nurl","SUCCESS","Information: DACL, DACL Unprotected" "2:47:47.5633932 PM","IRP_MJ_QUERY_SECURITY","\\vs17\Test\nurl\3891FA2.tmp","SUCCESS","Information: Owner, Group, DACL, DACL Unprotected" "2:47:47.5660831 PM","IRP_MJ_SET_SECURITY","\\vs17\Test\nurl\3891FA2.tmp","SUCCESS","Information: DACL, DACL Unprotected" "2:47:47.5693973 PM","IRP_MJ_FILE_SYSTEM_CONTROL","\\vs17\Test\nurl\3891FA2.tmp","SUCCESS","Control: FSCTL_DELETE_OBJECT_ID" "2:47:47.5737110 PM","IRP_MJ_FILE_SYSTEM_CONTROL","\\vs17\Test\nurl\Test.txt","SUCCESS","Control: FSCTL_GET_OBJECT_ID" "2:47:47.5753695 PM","IRP_MJ_FILE_SYSTEM_CONTROL","\\vs17\Test\nurl\3891FA2.tmp","SUCCESS","Control: 0x1400e8 (Device:0x14 Function:58 Method: 0)" "2:47:47.5769995 PM","IRP_MJ_FILE_SYSTEM_CONTROL","\\vs17\Test\nurl\3891FA2.tmp","SUCCESS","Control: FSCTL_CREATE_OR_GET_OBJECT_ID" "2:47:47.5803275 PM","IRP_MJ_FILE_SYSTEM_CONTROL","\\vs17\Test\nurl\Test.txt","SUCCESS","Control: FSCTL_GET_OBJECT_ID" "2:47:47.5813562 PM","IRP_MJ_FILE_SYSTEM_CONTROL","\\vs17\Test\nurl\Test.txt","SUCCESS","Control: 0x1400ec (Device:0x14 Function:59 Method: 0)" "2:47:47.5836314 PM","IRP_MJ_FILE_SYSTEM_CONTROL","\\vs17\Test\nurl\3891FA2.tmp","SUCCESS","Control: FSCTL_SET_OBJECT_ID_EXTENDED" "2:47:47.5989705 PM","IRP_MJ_SET_INFORMATION","\\vs17\Test\nurl\Test.txt","SUCCESS","Type: SetRenameInformationFile, ReplaceIfExists: True, FileName: \\vs17\Test\nurl\E763273B.tmp" "2:47:47.6219650 PM","IRP_MJ_SET_INFORMATION","\\vs17\Test\nurl\3891FA2.tmp","SUCCESS","Type: SetRenameInformationFile, ReplaceIfExists: True, FileName: \\vs17\Test\nurl\Test.txt" "2:47:47.6395646 PM","IRP_MJ_FILE_SYSTEM_CONTROL","\\vs17\Test\nurl\3891FA2.tmp","SUCCESS","Control: FSCTL_WRITE_USN_CLOSE_RECORD" "2:47:47.6551447 PM","FASTIO_ACQUIRE_FOR_CC_FLUSH","\\vs17\Test\nurl\3891FA2.tmp","SUCCESS","" "2:47:47.6552059 PM","FASTIO_RELEASE_FOR_CC_FLUSH","\\vs17\Test\nurl\3891FA2.tmp","SUCCESS","" "2:47:47.6633561 PM","IRP_MJ_SET_SECURITY","\\vs17\Test\nurl\3891FA2.tmp","SUCCESS","Information: Group, DACL" "2:47:47.6652200 PM","FASTIO_ACQUIRE_FOR_CC_FLUSH","\\vs17\Test\nurl\3891FA2.tmp","SUCCESS","" "2:47:47.6652551 PM","FASTIO_RELEASE_FOR_CC_FLUSH","\\vs17\Test\nurl\3891FA2.tmp","SUCCESS","" "2:47:47.6734222 PM","IRP_MJ_SET_INFORMATION","\\vs17\Test\nurl\Test.txt","SUCCESS","Type: SetDispositionInformationFile, Delete: True" "2:47:47.6856107 PM","FASTIO_ACQUIRE_FOR_CC_FLUSH","\\vs17\Test\nurl\3891FA2.tmp","SUCCESS","" "2:47:47.6856391 PM","FASTIO_RELEASE_FOR_CC_FLUSH","\\vs17\Test\nurl\3891FA2.tmp","SUCCESS","" "2:47:47.6933776 PM","IRP_MJ_READ","\\vs17\Test\nurl\3891FA2.tmp","SUCCESS","Offset: 0, Length: 24, Priority: Normal" "2:47:47.7053721 PM","IRP_MJ_QUERY_VOLUME_INFORMATION","\\vs17\Test\nurl\3891FA2.tmp","SUCCESS","Type: QueryDeviceInformationVolume, DeviceType: Disk, Characteristics: Remote" "2:47:47.7692891 PM","IRP_MJ_READ","\\vs17\Test\nurl\3891FA2.tmp","SUCCESS","Offset: 0, Length: 24, Priority: Normal" "2:47:53.1354214 PM","IRP_MJ_DIRECTORY_CONTROL","\\vs17\Test\nurl","SUCCESS","Type: QueryDirectory, Filter: nurl, 2: nurl" "2:47:53.1535334 PM","IRP_MJ_DIRECTORY_CONTROL","\\vs17\Test\nurl\Test.txt","SUCCESS","Type: QueryDirectory, Filter: Test.txt, 2: Test.txt" "2:47:53.1694351 PM","IRP_MJ_DIRECTORY_CONTROL","\\vs17\Test\nurl","SUCCESS","Type: QueryDirectory, Filter: nurl, 2: nurl" "2:47:53.1775034 PM","IRP_MJ_FILE_SYSTEM_CONTROL","\\vs17\Test\nurl\3891FA2.tmp","SUCCESS","Control: FSCTL_CREATE_OR_GET_OBJECT_ID" "2:47:53.1793191 PM","IRP_MJ_QUERY_VOLUME_INFORMATION","\\vs17\Test\nurl\3891FA2.tmp","SUCCESS","Type: QueryObjectIdInformationVolume, ObjectId: 04E9DC7FB9F2B94896E02B2A70C2B322" "2:47:53.1795901 PM","IRP_MJ_DIRECTORY_CONTROL","\\vs17\Test\nurl\Test.txt","SUCCESS","Type: QueryDirectory, Filter: Test.txt, 2: Test.txt" "2:47:53.1896164 PM","IRP_MJ_FILE_SYSTEM_CONTROL","\\vs17\Test\nurl","NOT REPARSE POINT","Control: FSCTL_GET_REPARSE_POINT" "2:47:53.1935042 PM","IRP_MJ_QUERY_VOLUME_INFORMATION","\\vs17\Test\nurl","SUCCESS","Type: QueryDeviceInformationVolume, DeviceType: Disk, Characteristics: Remote" "2:47:53.2478055 PM","IRP_MJ_SET_INFORMATION","\\vs17\Test\nurl\~$Test.txt","SUCCESS","Type: SetDispositionInformationFile, Delete: True" "2:47:53.3041516 PM","IRP_MJ_FILE_SYSTEM_CONTROL","\\vs17\Test\nurl\3891FA2.tmp","SUCCESS","Control: FSCTL_CREATE_OR_GET_OBJECT_ID" "2:47:53.3057334 PM","IRP_MJ_QUERY_VOLUME_INFORMATION","\\vs17\Test\nurl\3891FA2.tmp","SUCCESS","Type: QueryObjectIdInformationVolume, ObjectId: 04E9DC7FB9F2B94896E02B2A70C2B322" "2:47:53.3178247 PM","IRP_MJ_FILE_SYSTEM_CONTROL","\\vs17\Test\nurl","NOT REPARSE POINT","Control: FSCTL_GET_REPARSE_POINT" "2:47:53.3223904 PM","IRP_MJ_QUERY_VOLUME_INFORMATION","\\vs17\Test\nurl","SUCCESS","Type: QueryDeviceInformationVolume, DeviceType: Disk, Characteristics: Remote"

Saved as [FILE 7116]

This doesn't look so bad, I just need to exactly replicate this sequence.

2:47:20.8311835 PMIRP_MJ_SET_INFORMATION\\VS17\PIPE\srvsvcSUCCESSType: SetPipeInformation
2:47:20.8312092 PMIRP_MJ_WRITE\\VS17\PIPE\srvsvcSUCCESSOffset: 0, Length: 160, Priority: Normal
2:47:20.8331706 PMIRP_MJ_READ\\VS17\PIPE\srvsvcSUCCESSOffset: 0, Length: 116, Priority: Normal
2:47:20.8351487 PMIRP_MJ_FILE_SYSTEM_CONTROL\\VS17\PIPE\srvsvcSUCCESSControl: FSCTL_PIPE_TRANSCEIVE, WriteLength: 1,024, ReadLength: 112
2:47:20.9545218 PMIRP_MJ_SET_INFORMATION\\VS17\PIPE\wkssvcSUCCESSType: SetPipeInformation
2:47:20.9545708 PMIRP_MJ_WRITE\\VS17\PIPE\wkssvcSUCCESSOffset: 0, Length: 160, Priority: Normal
2:47:20.9564410 PMIRP_MJ_READ\\VS17\PIPE\wkssvcSUCCESSOffset: 0, Length: 116, Priority: Normal
2:47:20.9584128 PMIRP_MJ_FILE_SYSTEM_CONTROL\\VS17\PIPE\wkssvcSUCCESSControl: FSCTL_PIPE_TRANSCEIVE, WriteLength: 1,024, ReadLength: 76
2:47:20.9664230 PMIRP_MJ_SET_INFORMATION\\VS17\PIPE\srvsvcSUCCESSType: SetPipeInformation
2:47:20.9664495 PMIRP_MJ_WRITE\\VS17\PIPE\srvsvcSUCCESSOffset: 0, Length: 160, Priority: Normal
2:47:20.9684114 PMIRP_MJ_READ\\VS17\PIPE\srvsvcSUCCESSOffset: 0, Length: 116, Priority: Normal
2:47:20.9704242 PMIRP_MJ_FILE_SYSTEM_CONTROL\\VS17\PIPE\srvsvcSUCCESSControl: FSCTL_PIPE_TRANSCEIVE, WriteLength: 1,024, ReadLength: 76
2:47:21.1932680 PMIRP_MJ_DIRECTORY_CONTROL\\vs17\Test\nurlSUCCESSType: QueryDirectory, Filter: nurl, 2: nurl
2:47:21.1990876 PMIRP_MJ_DIRECTORY_CONTROL\\vs17\Test\nurl\Test.txtSUCCESSType: QueryDirectory, Filter: Test.txt, 2: Test.txt
2:47:21.2113025 PMIRP_MJ_DIRECTORY_CONTROL\\vs17\Test\nurl\Test.txtSUCCESSType: QueryDirectory, Filter: Test.txt, 2: Test.txt
2:47:21.2862809 PMIRP_MJ_READ\\vs17\Test\nurl\Test.txtSUCCESSOffset: 0, Length: 24, Priority: Normal
2:47:21.2924317 PMIRP_MJ_QUERY_VOLUME_INFORMATION\\vs17\Test\nurl\Test.txtSUCCESSType: QueryDeviceInformationVolume, DeviceType: Disk, Characteristics: Remote
2:47:21.3065682 PMIRP_MJ_QUERY_VOLUME_INFORMATION\\vs17\Test\nurl\Test.txtSUCCESSType: QueryDeviceInformationVolume, DeviceType: Disk, Characteristics: Remote
2:47:21.3065824 PMIRP_MJ_FILE_SYSTEM_CONTROL\\vs17\Test\nurl\Test.txtSUCCESSControl: IOCTL_LMR_DISABLE_LOCAL_BUFFERING
2:47:21.3066029 PMFASTIO_ACQUIRE_FOR_CC_FLUSH\\vs17\Test\nurl\Test.txtSUCCESS
2:47:21.3066286 PMFASTIO_RELEASE_FOR_CC_FLUSH\\vs17\Test\nurl\Test.txtSUCCESS
2:47:21.3083764 PMIRP_MJ_FILE_SYSTEM_CONTROL\\vs17\Test\nurl\Test.txtSUCCESSControl: FSCTL_LMR_GET_HINT_SIZE
2:47:21.3118375 PMIRP_MJ_QUERY_VOLUME_INFORMATION\\vs17\Test\nurl\Test.txtSUCCESSType: QueryAttributeInformationVolume, FileSystemAttributes: Case Preserved, Case Sensitive, Unicode, ACLs, Compression, Named Streams, EFS, Object IDs, Reparse Points, Sparse Files, Quotas, 0xc00600, MaximumComponentNameLength: 255, FileSystemName: NTFS
2:47:21.3144860 PMIRP_MJ_QUERY_SECURITY\\vs17\Test\nurl\Test.txtSUCCESSInformation: Attribute
2:47:21.3145322 PMIRP_MJ_QUERY_VOLUME_INFORMATION\\vs17\Test\nurl\Test.txtSUCCESSType: QueryDeviceInformationVolume, DeviceType: Disk, Characteristics: Remote
2:47:21.3146243 PMIRP_MJ_QUERY_VOLUME_INFORMATION\\vs17\Test\nurl\Test.txtSUCCESSType: QueryDeviceInformationVolume, DeviceType: Disk, Characteristics: Remote
2:47:21.3146468 PMIRP_MJ_QUERY_VOLUME_INFORMATION\\vs17\Test\nurl\Test.txtSUCCESSType: QueryDeviceInformationVolume, DeviceType: Disk, Characteristics: Remote
2:47:21.3149759 PMIRP_MJ_FILE_SYSTEM_CONTROL\\vs17\Test\nurl\Test.txtDEVICE FEATURE NOT SUPPORTEDControl: FSCTL_OFFLOAD_READ, Offset: 0, Length: 2,097,152
2:47:21.3184319 PMIRP_MJ_SET_INFORMATION\\vs17\Test\nurl\Test.txtSUCCESSType: SetPositionInformationFile, Position: 0
2:47:21.3185871 PMIRP_MJ_READ\\vs17\Test\nurl\Test.txtSUCCESSOffset: 0, Length: 262,144, Priority: Normal
2:47:21.3187807 PMIRP_MJ_READ\\vs17\Test\nurl\Test.txtSUCCESSOffset: 262,144, Length: 262,144, Priority: Normal
2:47:21.3190351 PMIRP_MJ_READ\\vs17\Test\nurl\Test.txtSUCCESSOffset: 524,288, Length: 262,144, Priority: Normal
2:47:21.3193508 PMIRP_MJ_READ\\vs17\Test\nurl\Test.txtSUCCESSOffset: 786,432, Length: 262,144, Priority: Normal
2:47:21.3257717 PMIRP_MJ_READ\\vs17\Test\nurl\Test.txtSUCCESSOffset: 1,048,576, Length: 216,796, Priority: Normal
2:47:21.3365451 PMIRP_MJ_READ\\vs17\Test\nurl\Test.txtSUCCESSOffset: 0, Length: 24, Priority: Normal
2:47:21.5171816 PMIRP_MJ_QUERY_VOLUME_INFORMATION\\vs17\Test\nurl\~$Test.txtSUCCESSType: QueryDeviceInformationVolume, DeviceType: Disk, Characteristics: Remote
2:47:21.5172507 PMIRP_MJ_WRITE\\vs17\Test\nurl\~$Test.txtSUCCESSOffset: 0, Length: 54, Priority: Normal
2:47:21.5189831 PMIRP_MJ_WRITE\\vs17\Test\nurl\~$Test.txtSUCCESSOffset: 54, Length: 108, Priority: Normal
2:47:25.6846056 PMIRP_MJ_DIRECTORY_CONTROL\\vs17\Test\nurlSUCCESSType: QueryDirectory, Filter: nurl, 2: nurl
2:47:25.6887720 PMIRP_MJ_DIRECTORY_CONTROL\\vs17\Test\nurl\Test.txtSUCCESSType: QueryDirectory, Filter: Test.txt, 2: Test.txt
2:47:25.8852386 PMIRP_MJ_FILE_SYSTEM_CONTROL\\vs17\Test\nurl\Test.txtSUCCESSControl: FSCTL_CREATE_OR_GET_OBJECT_ID
2:47:25.8869295 PMIRP_MJ_QUERY_VOLUME_INFORMATION\\vs17\Test\nurl\Test.txtSUCCESSType: QueryObjectIdInformationVolume, ObjectId: 04E9DC7FB9F2B94896E02B2A70C2B322
2:47:25.8971237 PMIRP_MJ_FILE_SYSTEM_CONTROL\\vs17\Test\nurlNOT REPARSE POINTControl: FSCTL_GET_REPARSE_POINT
2:47:25.9011047 PMIRP_MJ_QUERY_VOLUME_INFORMATION\\vs17\Test\nurlSUCCESSType: QueryDeviceInformationVolume, DeviceType: Disk, Characteristics: Remote
2:47:26.6574479 PMIRP_MJ_FILE_SYSTEM_CONTROL\\vs17\Test\nurl\Test.txtSUCCESSControl: FSCTL_CREATE_OR_GET_OBJECT_ID
2:47:26.6632443 PMIRP_MJ_QUERY_VOLUME_INFORMATION\\vs17\Test\nurl\Test.txtSUCCESSType: QueryObjectIdInformationVolume, ObjectId: 04E9DC7FB9F2B94896E02B2A70C2B322
2:47:26.6916358 PMIRP_MJ_FILE_SYSTEM_CONTROL\\vs17\Test\nurlNOT REPARSE POINTControl: FSCTL_GET_REPARSE_POINT
2:47:26.6971619 PMIRP_MJ_QUERY_VOLUME_INFORMATION\\vs17\Test\nurlSUCCESSType: QueryDeviceInformationVolume, DeviceType: Disk, Characteristics: Remote
2:47:46.0778542 PMIRP_MJ_QUERY_VOLUME_INFORMATION\\vs17\Test\SUCCESSType: QueryAttributeInformationVolume, FileSystemAttributes: Case Preserved, Case Sensitive, Unicode, ACLs, Compression, Named Streams, EFS, Object IDs, Reparse Points, Sparse Files, Quotas, 0xc00600, MaximumComponentNameLength: 255, FileSystemName: NTFS
2:47:46.2114977 PMIRP_MJ_QUERY_VOLUME_INFORMATION\\vs17\Test\nurl\3891FA2.tmpSUCCESSType: QueryDeviceInformationVolume, DeviceType: Disk, Characteristics: Remote
2:47:46.2154503 PMIRP_MJ_QUERY_VOLUME_INFORMATION\\vs17\Test\nurl\3891FA2.tmpSUCCESSType: QueryDeviceInformationVolume, DeviceType: Disk, Characteristics: Remote
2:47:46.2154653 PMIRP_MJ_FILE_SYSTEM_CONTROL\\vs17\Test\nurl\3891FA2.tmpSUCCESSControl: IOCTL_LMR_DISABLE_LOCAL_BUFFERING
2:47:46.2154878 PMIRP_MJ_QUERY_VOLUME_INFORMATION\\vs17\Test\nurl\3891FA2.tmpSUCCESSType: QueryAttributeInformationVolume, FileSystemAttributes: Case Preserved, Case Sensitive, Unicode, ACLs, Compression, Named Streams, EFS, Object IDs, Reparse Points, Sparse Files, Quotas, 0xc00600, MaximumComponentNameLength: 255, FileSystemName: NTFS
2:47:46.2155898 PMIRP_MJ_QUERY_VOLUME_INFORMATION\\vs17\Test\nurl\3891FA2.tmpSUCCESSType: QueryDeviceInformationVolume, DeviceType: Disk, Characteristics: Remote
2:47:46.2156008 PMIRP_MJ_SET_INFORMATION\\vs17\Test\nurl\3891FA2.tmpSUCCESSType: SetEndOfFileInformationFile, EndOfFile: 1,265,393
2:47:46.2174849 PMIRP_MJ_QUERY_VOLUME_INFORMATION\\vs17\Test\nurl\3891FA2.tmpSUCCESSType: QueryDeviceInformationVolume, DeviceType: Disk, Characteristics: Remote
2:47:46.2175264 PMIRP_MJ_QUERY_VOLUME_INFORMATION\\vs17\Test\nurl\3891FA2.tmpSUCCESSType: QueryDeviceInformationVolume, DeviceType: Disk, Characteristics: Remote
2:47:46.2181889 PMIRP_MJ_WRITE\\vs17\Test\nurl\3891FA2.tmpSUCCESSOffset: 0, Length: 262,144, Priority: Normal
2:47:46.2240883 PMIRP_MJ_WRITE\\vs17\Test\nurl\3891FA2.tmpSUCCESSOffset: 262,144, Length: 262,144, Priority: Normal
2:47:46.2250452 PMIRP_MJ_WRITE\\vs17\Test\nurl\3891FA2.tmpSUCCESSOffset: 524,288, Length: 262,144, Priority: Normal
2:47:46.2250712 PMIRP_MJ_WRITE\\vs17\Test\nurl\3891FA2.tmpSUCCESSOffset: 786,432, Length: 262,144, Priority: Normal
2:47:46.2250882 PMIRP_MJ_WRITE\\vs17\Test\nurl\3891FA2.tmpSUCCESSOffset: 1,048,576, Length: 216,817, Priority: Normal
TEMPORARY FILE HAS BEEN WRITTEN.
2:47:47.2216342 PMIRP_MJ_SET_INFORMATION\\vs17\Test\nurl\3891FA2.tmpSUCCESSType: SetBasicInformationFile, CreationTime: 0, LastAccessTime: 0, LastWriteTime: 7/2/2018 2:47:46 PM, ChangeTime: 7/2/2018 2:47:46 PM, FileAttributes: n/a
2:47:47.3192346 PMIRP_MJ_QUERY_SECURITY\\vs17\Test\nurl\Test.txtSUCCESSInformation: Owner, Group, DACL
2:47:47.3312102 PMIRP_MJ_SET_SECURITY\\vs17\Test\nurl\3891FA2.tmpSUCCESSInformation: Owner, Group, DACL
2:47:47.5434034 PMIRP_MJ_SET_INFORMATION\\vs17\Test\nurl\3891FA2.tmpSUCCESSType: SetBasicInformationFile, CreationTime: 5/23/2018 1:53:59 PM, LastAccessTime: 0, LastWriteTime: 0, ChangeTime: 0, FileAttributes: A
2:47:47.5453013 PMIRP_MJ_QUERY_VOLUME_INFORMATION\\vs17\Test\nurl\3891FA2.tmpSUCCESSType: QueryAttributeInformationVolume, FileSystemAttributes: Case Preserved, Case Sensitive, Unicode, ACLs, Compression, Named Streams, EFS, Object IDs, Reparse Points, Sparse Files, Quotas, 0xc00600, MaximumComponentNameLength: 255, FileSystemName: NTFS
2:47:47.5453890 PMIRP_MJ_QUERY_SECURITY\\vs17\Test\nurl\Test.txtSUCCESSInformation: Owner, DACL, Label, Attribute
2:47:47.5469325 PMIRP_MJ_QUERY_SECURITY\\vs17\Test\nurl\3891FA2.tmpSUCCESSInformation: Attribute
2:47:47.5489817 PMIRP_MJ_QUERY_SECURITY\\vs17\Test\nurl\3891FA2.tmpSUCCESSInformation: Owner
2:47:47.5593110 PMIRP_MJ_QUERY_SECURITY\\vs17\Test\nurlSUCCESSInformation: DACL, DACL Unprotected
2:47:47.5633932 PMIRP_MJ_QUERY_SECURITY\\vs17\Test\nurl\3891FA2.tmpSUCCESSInformation: Owner, Group, DACL, DACL Unprotected
2:47:47.5660831 PMIRP_MJ_SET_SECURITY\\vs17\Test\nurl\3891FA2.tmpSUCCESSInformation: DACL, DACL Unprotected
2:47:47.5693973 PMIRP_MJ_FILE_SYSTEM_CONTROL\\vs17\Test\nurl\3891FA2.tmpSUCCESSControl: FSCTL_DELETE_OBJECT_ID
2:47:47.5737110 PMIRP_MJ_FILE_SYSTEM_CONTROL\\vs17\Test\nurl\Test.txtSUCCESSControl: FSCTL_GET_OBJECT_ID
2:47:47.5753695 PMIRP_MJ_FILE_SYSTEM_CONTROL\\vs17\Test\nurl\3891FA2.tmpSUCCESSControl: 0x1400e8 (Device:0x14 Function:58 Method: 0)
2:47:47.5769995 PMIRP_MJ_FILE_SYSTEM_CONTROL\\vs17\Test\nurl\3891FA2.tmpSUCCESSControl: FSCTL_CREATE_OR_GET_OBJECT_ID
2:47:47.5803275 PMIRP_MJ_FILE_SYSTEM_CONTROL\\vs17\Test\nurl\Test.txtSUCCESSControl: FSCTL_GET_OBJECT_ID
2:47:47.5813562 PMIRP_MJ_FILE_SYSTEM_CONTROL\\vs17\Test\nurl\Test.txtSUCCESSControl: 0x1400ec (Device:0x14 Function:59 Method: 0)
2:47:47.5836314 PMIRP_MJ_FILE_SYSTEM_CONTROL\\vs17\Test\nurl\3891FA2.tmpSUCCESSControl: FSCTL_SET_OBJECT_ID_EXTENDED
2:47:47.5989705 PMIRP_MJ_SET_INFORMATION\\vs17\Test\nurl\Test.txtSUCCESSType: SetRenameInformationFile, ReplaceIfExists: True, FileName: \\vs17\Test\nurl\E763273B.tmp
2:47:47.6219650 PMIRP_MJ_SET_INFORMATION\\vs17\Test\nurl\3891FA2.tmpSUCCESSType: SetRenameInformationFile, ReplaceIfExists: True, FileName: \\vs17\Test\nurl\Test.txt
2:47:47.6395646 PMIRP_MJ_FILE_SYSTEM_CONTROL\\vs17\Test\nurl\3891FA2.tmpSUCCESSControl: FSCTL_WRITE_USN_CLOSE_RECORD
2:47:47.6551447 PMFASTIO_ACQUIRE_FOR_CC_FLUSH\\vs17\Test\nurl\3891FA2.tmpSUCCESS
2:47:47.6552059 PMFASTIO_RELEASE_FOR_CC_FLUSH\\vs17\Test\nurl\3891FA2.tmpSUCCESS
2:47:47.6633561 PMIRP_MJ_SET_SECURITY\\vs17\Test\nurl\3891FA2.tmpSUCCESSInformation: Group, DACL
2:47:47.6652200 PMFASTIO_ACQUIRE_FOR_CC_FLUSH\\vs17\Test\nurl\3891FA2.tmpSUCCESS
2:47:47.6652551 PMFASTIO_RELEASE_FOR_CC_FLUSH\\vs17\Test\nurl\3891FA2.tmpSUCCESS
2:47:47.6734222 PMIRP_MJ_SET_INFORMATION\\vs17\Test\nurl\Test.txtSUCCESSType: SetDispositionInformationFile, Delete: True
SAVE COMPLETE
2:47:47.6856107 PMFASTIO_ACQUIRE_FOR_CC_FLUSH\\vs17\Test\nurl\3891FA2.tmpSUCCESS
2:47:47.6856391 PMFASTIO_RELEASE_FOR_CC_FLUSH\\vs17\Test\nurl\3891FA2.tmpSUCCESS
2:47:47.6933776 PMIRP_MJ_READ\\vs17\Test\nurl\3891FA2.tmpSUCCESSOffset: 0, Length: 24, Priority: Normal
2:47:47.7053721 PMIRP_MJ_QUERY_VOLUME_INFORMATION\\vs17\Test\nurl\3891FA2.tmpSUCCESSType: QueryDeviceInformationVolume, DeviceType: Disk, Characteristics: Remote
2:47:47.7692891 PMIRP_MJ_READ\\vs17\Test\nurl\3891FA2.tmpSUCCESSOffset: 0, Length: 24, Priority: Normal
2:47:53.1354214 PMIRP_MJ_DIRECTORY_CONTROL\\vs17\Test\nurlSUCCESSType: QueryDirectory, Filter: nurl, 2: nurl
2:47:53.1535334 PMIRP_MJ_DIRECTORY_CONTROL\\vs17\Test\nurl\Test.txtSUCCESSType: QueryDirectory, Filter: Test.txt, 2: Test.txt
2:47:53.1694351 PMIRP_MJ_DIRECTORY_CONTROL\\vs17\Test\nurlSUCCESSType: QueryDirectory, Filter: nurl, 2: nurl
2:47:53.1775034 PMIRP_MJ_FILE_SYSTEM_CONTROL\\vs17\Test\nurl\3891FA2.tmpSUCCESSControl: FSCTL_CREATE_OR_GET_OBJECT_ID
2:47:53.1793191 PMIRP_MJ_QUERY_VOLUME_INFORMATION\\vs17\Test\nurl\3891FA2.tmpSUCCESSType: QueryObjectIdInformationVolume, ObjectId: 04E9DC7FB9F2B94896E02B2A70C2B322
2:47:53.1795901 PMIRP_MJ_DIRECTORY_CONTROL\\vs17\Test\nurl\Test.txtSUCCESSType: QueryDirectory, Filter: Test.txt, 2: Test.txt
2:47:53.1896164 PMIRP_MJ_FILE_SYSTEM_CONTROL\\vs17\Test\nurlNOT REPARSE POINTControl: FSCTL_GET_REPARSE_POINT
2:47:53.1935042 PMIRP_MJ_QUERY_VOLUME_INFORMATION\\vs17\Test\nurlSUCCESSType: QueryDeviceInformationVolume, DeviceType: Disk, Characteristics: Remote
2:47:53.2478055 PMIRP_MJ_SET_INFORMATION\\vs17\Test\nurl\~$Test.txtSUCCESSType: SetDispositionInformationFile, Delete: True
2:47:53.3041516 PMIRP_MJ_FILE_SYSTEM_CONTROL\\vs17\Test\nurl\3891FA2.tmpSUCCESSControl: FSCTL_CREATE_OR_GET_OBJECT_ID
2:47:53.3057334 PMIRP_MJ_QUERY_VOLUME_INFORMATION\\vs17\Test\nurl\3891FA2.tmpSUCCESSType: QueryObjectIdInformationVolume, ObjectId: 04E9DC7FB9F2B94896E02B2A70C2B322
2:47:53.3178247 PMIRP_MJ_FILE_SYSTEM_CONTROL\\vs17\Test\nurlNOT REPARSE POINTControl: FSCTL_GET_REPARSE_POINT
2:47:53.3223904 PMIRP_MJ_QUERY_VOLUME_INFORMATION\\vs17\Test\nurlSUCCESSType: QueryDeviceInformationVolume, DeviceType: Disk, Characteristics: Remote

Moderator: close comments Comments are closed.

Comments are moderated. Anonymous comments are not visible to others until moderated. Comments are owned by the author but may be removed or reused (but not modified) by this site at any time without notice.

HTML
  1. Moderator: [] approve delete HTML


WebV7 (C)2018 nlited | Rendered by tikope in 72.204ms | 18.223.124.244