| viewer9 documentation | Index Home |
FASTIO PML Operations
Although these operations have different opcode numbers, they have similar naming and data and the Op is the same as the advop (see PML Operations).
FASTIO_ACQUIRE_FOR_CC_FLUSH
opcode=3,15
FASTIO_ACQUIRE_FOR_MOD_WRITE
opcode=3,17. EndingOffset is a 64-bit integer.
FASTIO_CHECK_IF_POSSIBLE
opcode=3,7. Offset is a 64-bit integer. Length is a 32-bit integer. CheckOp ("Operation" in Procmon) is displayed as Read for 1 or Write for 0. Microsoft documentation of IRP_MJ_FAST_IO_CHECK_IF_POSSIBLE suggests CheckOp is an interpretation of the CheckForReadOperation boolean.
FASTIO_MDL_READ_COMPLETE
opcode=3,4. Mdl is a memory address displayed in hex.
FASTIO_MDL_WRITE_COMPLETE
opcode=3,2. Offset is a 64-bit integer. Mdl is a memory address displayed in hex.
FASTIO_RELEASE_FOR_CC_FLUSH
opcode=3,14
FASTIO_RELEASE_FOR_MOD_WRITE
opcode=3,16
FASTIO_RELEASE_FOR_SECTION_SYNCHRONIZATION
opcode=3,18
Example of FASTIO_ACQUIRE_FOR_CC_FLUSH from 64-bit PML
Hover over field values like Time, ResultCode, and bytes of evdata in this example to see tooltips as they appear in viewer9. The tooltip of the first byte of a color patch tells the field name.
FASTIO_ACQUIRE_FOR_CC_FLUSH opcode=3,15
ev=10413 advop=FASTIO_ACQUIRE_FOR_CC_FLUSH
| Time: | 2022-05-17 19:41:47.3838191 |
| Duration: | 0.0000010 |
| ResultCode: | SUCCESS |
| Tid: | 8376 |
| Path: | C: |
evdata[0-71] file offset 4439273
| 0 | 00 00 69 00 73 00 6b 00 | ..i.s.k. |
| 8 | 00 00 00 00 04 00 00 00 | ........ |
| 16 | 00 00 00 00 00 00 00 00 | ........ |
| omit 4 rows of zeros | ||
| 56 | 00 00 00 00 00 00 00 00 | ........ |
| 64 | 02 80 69 00 43 3a d8 01 | ..i.C:.. |
Call Stack stacksize=36
| StackAddress | mod | ModName | ModPath |
|---|---|---|---|
| 0xfffff80434e8608c | 172 | FLTMGR.SYS + 0x608c | C:\WINDOWS\System32\drivers\FLTMGR.SYS |
| 0xfffff80434e82801 | 172 | FLTMGR.SYS + 0x2801 | C:\WINDOWS\System32\drivers\FLTMGR.SYS |
| 0xfffff80437c82147 | 174 | ntoskrnl.exe + 0x282147 | C:\WINDOWS\system32\ntoskrnl.exe |
| 0xfffff80437fee57d | 174 | ntoskrnl.exe + 0x5ee57d | C:\WINDOWS\system32\ntoskrnl.exe |
| 0xfffff80437c2f8c0 | 174 | ntoskrnl.exe + 0x22f8c0 | C:\WINDOWS\system32\ntoskrnl.exe |
| 0xfffff80437cbee2c | 174 | ntoskrnl.exe + 0x2bee2c | C:\WINDOWS\system32\ntoskrnl.exe |
| 0xfffff804380416a4 | 174 | ntoskrnl.exe + 0x6416a4 | C:\WINDOWS\system32\ntoskrnl.exe |
| 0xfffff8043804312b | 174 | ntoskrnl.exe + 0x64312b | C:\WINDOWS\system32\ntoskrnl.exe |
| 0xfffff80438030a5b | 174 | ntoskrnl.exe + 0x630a5b | C:\WINDOWS\system32\ntoskrnl.exe |
| 0xfffff804380300a4 | 174 | ntoskrnl.exe + 0x6300a4 | C:\WINDOWS\system32\ntoskrnl.exe |
| 0xfffff8043802fe87 | 174 | ntoskrnl.exe + 0x62fe87 | C:\WINDOWS\system32\ntoskrnl.exe |
| 0xfffff8043802fc6c | 174 | ntoskrnl.exe + 0x62fc6c | C:\WINDOWS\system32\ntoskrnl.exe |
| 0xfffff80437e077b5 | 174 | ntoskrnl.exe + 0x4077b5 | C:\WINDOWS\system32\ntoskrnl.exe |
| 0x7ffc927ed664 | 77 | ntdll.dll + 0x9d664 | C:\WINDOWS\SYSTEM32\ntdll.dll |
| 0x7ffc922b76ac | 130 | wow64.dll + 0x76ac | C:\WINDOWS\System32\wow64.dll |
| 0x7ffc922b901a | 130 | wow64.dll + 0x901a | C:\WINDOWS\System32\wow64.dll |
| 0x77c917c3 | 127 | wow64cpu.dll + 0x17c3 | C:\WINDOWS\System32\wow64cpu.dll |
| 0x77c911b9 | 127 | wow64cpu.dll + 0x11b9 | C:\WINDOWS\System32\wow64cpu.dll |
| 0x7ffc922b38c9 | 130 | wow64.dll + 0x38c9 | C:\WINDOWS\System32\wow64.dll |
| 0x7ffc922b32bd | 130 | wow64.dll + 0x32bd | C:\WINDOWS\System32\wow64.dll |
| 0x7ffc92823552 | 77 | ntdll.dll + 0xd3552 | C:\WINDOWS\SYSTEM32\ntdll.dll |
| 0x7ffc927c4ceb | 77 | ntdll.dll + 0x74ceb | C:\WINDOWS\SYSTEM32\ntdll.dll |
| 0x7ffc927c4b73 | 77 | ntdll.dll + 0x74b73 | C:\WINDOWS\SYSTEM32\ntdll.dll |
| 0x7ffc927c4b1e | 77 | ntdll.dll + 0x74b1e | C:\WINDOWS\SYSTEM32\ntdll.dll |
| 0x77d12e2c | 128 | ntdll.dll + 0x72e2c | C:\WINDOWS\SysWOW64\ntdll.dll |
| 0x77cfe5c9 | 128 | ntdll.dll + 0x5e5c9 | C:\WINDOWS\SysWOW64\ntdll.dll |
| 0x77cfe102 | 128 | ntdll.dll + 0x5e102 | C:\WINDOWS\SysWOW64\ntdll.dll |
| 0x77cee7fa | 128 | ntdll.dll + 0x4e7fa | C:\WINDOWS\SysWOW64\ntdll.dll |
| 0x77cee1dc | 128 | ntdll.dll + 0x4e1dc | C:\WINDOWS\SysWOW64\ntdll.dll |
| 0x77cede66 | 128 | ntdll.dll + 0x4de66 | C:\WINDOWS\SysWOW64\ntdll.dll |
| 0x7712faa6 | 113 | KernelBase.dll + 0x10faa6 | C:\WINDOWS\SysWOW64\KERNELBASE.dll |
| 0xc067f2 | 1220 | GoogleUpdate.exe + 0x67f2 | C:\Users\John\AppData\Local\Temp\GUME339.tmp\GoogleUpdate.exe |
| 0xc073be | 1220 | GoogleUpdate.exe + 0x73be | C:\Users\John\AppData\Local\Temp\GUME339.tmp\GoogleUpdate.exe |
| 0x77a7fa29 | 125 | kernel32.dll + 0x1fa29 | C:\WINDOWS\SysWOW64\KERNEL32.DLL |
| 0x77d07a4e | 128 | ntdll.dll + 0x67a4e | C:\WINDOWS\SysWOW64\ntdll.dll |
| 0x77d07a1e | 128 | ntdll.dll + 0x67a1e | C:\WINDOWS\SysWOW64\ntdll.dll |
See also
Posted 4 Jul 2022 last updated 15 Nov 2022 As viewer9 is just starting out, discussion is invited via email. Please send questions and comments to forum@viewer9.com directly. Threads that might be valuable to other users will be posted as part of the documentation. Posted messages will not include your address or your full name, and might be shortened for brevity.
Copyright 2022, bryantlite, Inc.