viewer9 documentation

Lock/UnlockFile PML Operations

LockFile
UnlockFileAll
UnlockFileSingle

These operations belong to opcode=3,37 (see note about Op vs opcode in PML Operations). Offset and Length are 64-bit integers. FailImmed ("Fail Immediately" in Procmon) and Exclusive are booleans. Address (not shown in Procmon) is one of the memory addresses observed in the data that might reflect something about the way the API was called and it is displayed in hex.

Example of LockFile from 64-bit PML

Hover over field values like Time, ResultCode, and bytes of evdata in this example to see tooltips as they appear in viewer9. The tooltip of the first byte of a color patch tells the field name.

LockFile opcode=3,37

ev=35194 advop=FASTIO_LOCK

Time:2022-05-17 16:06:22.5924818
Duration:0.0000030
ResultCode:SUCCESS
Tid:3448
Path:C:\Users\johnk\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Offset:0
Length:4294967295
FailImmed:False
Exclusive:True
Address:0xfffff880053c8b48

evdata[0-151] file offset 20280693

001 f7 0a 00 63 00 65 00 ....c.e.
800 00 00 00 02 00 00 00 ........
1648 8b 3c 05 80 f8 ff ff H.<.....
2400 00 00 00 00 00 00 00 ........
3200 00 00 00 00 00 00 00 ........
4060 70 ff 07 80 fa ff ff `p......
4800 01 00 00 00 00 00 00 ........
5600 00 00 00 00 00 00 00 ........
644a 80 8c 94 43 3a 5c 55 J...C:\U
7273 65 72 73 5c 6a 6f 68 sers\joh
806e 6b 5c 41 70 70 44 61 nk\AppDa
8874 61 5c 4c 6f 63 61 6c ta\Local
965c 47 6f 6f 67 6c 65 5c \Google\
10443 68 72 6f 6d 65 5c 55 Chrome\U
11273 65 72 20 44 61 74 61 ser Data
1205c 43 72 61 73 68 70 61 \Crashpa
12864 5c 73 65 74 74 69 6e d\settin
13667 73 2e 64 61 74 ff ff gs.dat..
144ff ff ff ff ff ff a1 77 .......w

Call Stack stacksize=41

StackAddressmodModNameModPath
0xfffff880011730f7194fltmgr.sys + 0x20f7C:\Windows\system32\drivers\fltmgr.sys
0xfffff8800117588d194fltmgr.sys + 0x488dC:\Windows\system32\drivers\fltmgr.sys
0xfffff88001194d8a194fltmgr.sys + 0x23d8aC:\Windows\system32\drivers\fltmgr.sys
0xfffff80002b0adac161ntoskrnl.exe + 0x2bcdacC:\Windows\system32\ntoskrnl.exe
0xfffff800028eff53161ntoskrnl.exe + 0xa1f53C:\Windows\system32\ntoskrnl.exe
0x77c8a5da2ntdll.dll + 0x6a5daC:\Windows\SYSTEM32\ntdll.dll
0x7fefd80172243KERNELBASE.dll + 0x31722C:\Windows\system32\KERNELBASE.dll
0x77a4c04b0kernel32.dll + 0x4c04bC:\Windows\system32\kernel32.dll
0x7fef2a54f95687chrome_elf.dll + 0x44f95C:\Program Files\Google\Chrome\Application\101.0.4951.67\chrome_elf.dll
0x7fef2a4ab61687chrome_elf.dll + 0x3ab61C:\Program Files\Google\Chrome\Application\101.0.4951.67\chrome_elf.dll
0x7fef2a4abec687chrome_elf.dll + 0x3abecC:\Program Files\Google\Chrome\Application\101.0.4951.67\chrome_elf.dll
0x7fef2ada4f3687chrome_elf.dll + 0xca4f3C:\Program Files\Google\Chrome\Application\101.0.4951.67\chrome_elf.dll
0x7fee6b23019683chrome.dll + 0x1403019C:\Program Files\Google\Chrome\Application\101.0.4951.67\chrome.dll
0x7fee6b0944b683chrome.dll + 0x13e944bC:\Program Files\Google\Chrome\Application\101.0.4951.67\chrome.dll
0x7fee6b04d63683chrome.dll + 0x13e4d63C:\Program Files\Google\Chrome\Application\101.0.4951.67\chrome.dll
0x7fee8202224683chrome.dll + 0x2ae2224C:\Program Files\Google\Chrome\Application\101.0.4951.67\chrome.dll
0x7feeacca802683chrome.dll + 0x55aa802C:\Program Files\Google\Chrome\Application\101.0.4951.67\chrome.dll
0x7feeaccd032683chrome.dll + 0x55ad032C:\Program Files\Google\Chrome\Application\101.0.4951.67\chrome.dll
0x7feeaccca0d683chrome.dll + 0x55aca0dC:\Program Files\Google\Chrome\Application\101.0.4951.67\chrome.dll
0x7feeacc9c58683chrome.dll + 0x55a9c58C:\Program Files\Google\Chrome\Application\101.0.4951.67\chrome.dll
0x7feea640709683chrome.dll + 0x4f20709C:\Program Files\Google\Chrome\Application\101.0.4951.67\chrome.dll
0x7feeacc9eca683chrome.dll + 0x55a9ecaC:\Program Files\Google\Chrome\Application\101.0.4951.67\chrome.dll
0x7fee90903e6683chrome.dll + 0x39703e6C:\Program Files\Google\Chrome\Application\101.0.4951.67\chrome.dll
0x7fee8d2788a683chrome.dll + 0x360788aC:\Program Files\Google\Chrome\Application\101.0.4951.67\chrome.dll
0x7fee97e1e71683chrome.dll + 0x40c1e71C:\Program Files\Google\Chrome\Application\101.0.4951.67\chrome.dll
0x7fee8bd8f60683chrome.dll + 0x34b8f60C:\Program Files\Google\Chrome\Application\101.0.4951.67\chrome.dll
0x7fee8bd7d35683chrome.dll + 0x34b7d35C:\Program Files\Google\Chrome\Application\101.0.4951.67\chrome.dll
0x7fee932e35d683chrome.dll + 0x3c0e35dC:\Program Files\Google\Chrome\Application\101.0.4951.67\chrome.dll
0x7fee5a41049683chrome.dll + 0x321049C:\Program Files\Google\Chrome\Application\101.0.4951.67\chrome.dll
0x7fee60f5b0a683chrome.dll + 0x9d5b0aC:\Program Files\Google\Chrome\Application\101.0.4951.67\chrome.dll
0x7fee63785b1683chrome.dll + 0xc585b1C:\Program Files\Google\Chrome\Application\101.0.4951.67\chrome.dll
0x7fee66fff62683chrome.dll + 0xfdff62C:\Program Files\Google\Chrome\Application\101.0.4951.67\chrome.dll
0x7fee66ffc4f683chrome.dll + 0xfdfc4fC:\Program Files\Google\Chrome\Application\101.0.4951.67\chrome.dll
0x7fee7ca5f92683chrome.dll + 0x2585f92C:\Program Files\Google\Chrome\Application\101.0.4951.67\chrome.dll
0x7fee6148a21683chrome.dll + 0xa28a21C:\Program Files\Google\Chrome\Application\101.0.4951.67\chrome.dll
0x7fee6146bcd683chrome.dll + 0xa26bcdC:\Program Files\Google\Chrome\Application\101.0.4951.67\chrome.dll
0x13ffccae6681chrome.exe + 0x9cae6C:\Program Files\Google\Chrome\Application\chrome.exe
0x13ffcc648681chrome.exe + 0x9c648C:\Program Files\Google\Chrome\Application\chrome.exe
0x14004b062681chrome.exe + 0x11b062C:\Program Files\Google\Chrome\Application\chrome.exe
0x77a1556d0kernel32.dll + 0x1556dC:\Windows\system32\kernel32.dll
0x77c7372d2ntdll.dll + 0x5372dC:\Windows\SYSTEM32\ntdll.dll

Advanced names

These events can also be queried with advop:

  • LockFile: FASTIO_LOCK
  • UnlockFileSingle: FASTIO_UNLOCK_SINGLE
  • UnlockFileAll: FASTIO_UNLOCK_ALL

See also

Posted 4 Jul 2022 last updated 15 Nov 2022   As viewer9 is just starting out, discussion is invited via email. Please send questions and comments to forum@viewer9.com directly. Threads that might be valuable to other users will be posted as part of the documentation. Posted messages will not include your address or your full name, and might be shortened for brevity.

Copyright 2022, bryantlite, Inc.