viewer9 documentation | Index Home |
QueryInformationFile PML Operations
All of these operations belong to opcode=3,25 and correspond to the different FileInformationClass values in the Microsoft documentation for NtQueryInformationFile.
Although Procmon does not show it, the FileInformationClass is in the PML data at evdata[0] (see PML Binary Data and Results Offsets) and is provided by viewer9 in the FileInfoClass field. Not all of these operations have their evresults parsed into fields in viewer9, so for rare ones you can look up the evresults structure in the Microsoft documentation for NtQueryInformationFile (see how to do this in QueryCaseSensitiveInformation and QueryCompressionInformationFile below).
In addition to FileInfoClass, a 32-bit BufferSize and hex Buffer address (neither shown in Procmon) are extracted from the data to give insights into the way the underlying API was called.
To find QueryInformationFile PML operations not explicitly named with Op in viewer9, query opcode=3,25 FileInfoClass=FileXYZInformation.
QueryAllInformationFile
FileInfoClass is FileAllInformation. This operation is named "All" because it returns a lot of the same fields as the other QueryInformationFile operations, so field descriptions will not be duplicated here. An example of a QueryAllInformationFile event is after the descriptions of the other operations below.
QueryAttributeTagFile
FileInfoClass is FileAttributeTagInformation.
FileAttributes is mostly enumerated in short-form, for example A instead of FILE_ATTRIBUTE_ARCHIVE:
0x1, "R", // FILE_ATTRIBUTE_READONLY 0x2, "H", // FILE_ATTRIBUTE_HIDDEN 0x4, "S", // FILE_ATTRIBUTE_SYSTEM 0x10, "D", // FILE_ATTRIBUTE_DIRECTORY 0x20, "A", // FILE_ATTRIBUTE_ARCHIVE 0x40, "FILE_ATTRIBUTE_DEVICE", // no short-form 0x80, "N", // FILE_ATTRIBUTE_NORMAL 0x100, "T", // FILE_ATTRIBUTE_TEMPORARY 0x200, "SF", // FILE_ATTRIBUTE_SPARSE_FILE 0x400, "RP", // FILE_ATTRIBUTE_REPARSE_POINT 0x800, "C", // FILE_ATTRIBUTE_COMPRESSED 0x1000, "O", // FILE_ATTRIBUTE_OFFLINE 0x2000, "NCI", // FILE_ATTRIBUTE_NOT_CONTENT_INDEXED 0x4000, "E", // FILE_ATTRIBUTE_ENCRYPTED 0x8000, "IS", // FILE_ATTRIBUTE_INTEGRITY_STREAM
ReparseTag is a 32-bit integer displayed in hex.
QueryBasicInformationFile
FileInfoClass is FileBasicInformation. FileAttributes is described above, and there are 4 timestamps: CreationTime, LastAccessTime, LastWriteTime, ChangeTime.
QueryCaseSensitiveInformation
FileInfoClass is FileCaseSensitiveInformation.
This is an example of an operation not completely implemented in viewer9, so here is a description of how to examine this event data further (and illustrate the process for any QueryInformationFile operation):
Searching on "NtQueryInformationFile FileCaseSensitiveInformation" brings you to the FILE_CASE_SENSITIVE_INFORMATION struct, which is the structure of evresultsfor this operation in the PML file. It only has one member, a 32-bit (4-byte) ULONG integer Flags. A bit of deduction suggests Flags can be 0 or 1 if it is a case-sensitive directory.
Since it is only 1 or 0, it can be accessed with just the first byte of evresults, i.e. evresults[0]. For example, it can be queried with Op=QueryCaseSensitiveInformation evresults[0].
QueryCompressionInformationFile
FileInfoClass is FileCompressionInformation.
This is another example of an operation not completely implemented/parsed in viewer9. Searching on "NtQueryInformationFile FileCompressionInformation" brings you to the FILE_COMPRESSION_INFORMATION struct for the evresults section. Hovering the mouse over the evresults in the event view will give you:
evresults[0] CompressedFileSize (8 bytes) evresults[8] CompressionFormat (2 bytes) evresults[10] CompressionUnitShift (1 byte) evresults[11] ChunkShift (1 byte) evresults[12] ClusterShift (1 byte)
QueryEaInformationFile
FileInfoClass is FileEaInformation. EaSize is a 32-bit integer.
QueryFileInternalInformationFile
FileInfoClass is FileInternalInformation. IndexNumber is a 64-bit number.
QueryIdInformation
FileInfoClass is FileIdInformation.
QueryNameInformationFile
FileInfoClass is FileNameInformation.
QueryNetworkOpenInformationFile
FileInfoClass is FileNetworkOpenInformation. FileAttributes is described above, AllocSize and EndOfFile are 64-bit, and there are 4 timestamps: CreationTime LastAccessTime LastWriteTime ChangeTime.
QueryNetworkPhysicalNameInformationFile
FileInfoClass is FileNetworkPhysicalNameInformation.
QueryNormalizedNameInformationFile
FileInfoClass is FileNormalizedNameInformation.
QueryPositionInformationFile
FileInfoClass is FilePositionInformation. Position is a 64-bit integer.
QueryRemoteProtocolInformation
FileInfoClass is FileRemoteProtocolInformation.
QueryStandardInformationFile
FileInfoClass is FileStandardInformation. AllocSize and EndOfFile are 64-bit, NumberOfLinks is 32-bit, DelPending and Directory are 1-byte flags.
QueryStandardLinkInformation
FileInfoClass is FileStandardLinkInformation.
QueryStatInformation
FileInfoClass is FileStatInformation.
QueryStreamInformationFile
FileInfoClass is FileStreamInformation. This operation is for Alternate Data Streams (ADS). The fields are 64-bit StreamSize (not displayed in Procmon), 64-bit AllocSize, and Streams, which is a list of the stream filenames (shown as a numbered list in the Procmon detail, rather than under a single label). Note that sometimes Procmon does not display the last stream, but viewer9 does (see Procmon Bug: QueryStreamInformationFile Alternate Data Stream).
Example of QueryAllInformationFile from 64-bit PML
Hover over field values like Time, ResultCode, timestamps, FileAttributes, FileAccess, AccessMode, AlignReq, Length, and bytes of evdata in this example to see tooltips as they appear in viewer9. The tooltip of the first byte of a color patch tells the field name.
QueryAllInformationFile opcode=3,25
ev=5340 advop=IRP_MJ_QUERY_INFORMATION
Time: | 2022-05-17 19:41:45.9258243 |
Duration: | 0.0000055 |
ResultCode: | BUFFER OVERFLOW |
Tid: | 6956 |
Path: | C:\Windows\System32\smartscreenps.dll |
FileInfoClass: | FileAllInformation |
BufferSize: | 104 |
Buffer: | 0xffff8b8b3eadf590 |
CreationTime: | 2021-05-11 03:44:48.0048674 |
LastAccessTime: | 2022-05-17 19:41:45.9161688 |
LastWriteTime: | 2021-05-11 03:44:48.0204687 |
ChangeTime: | 2021-05-11 00:05:21.3633098 |
FileAttributes: | A |
AllocSize: | 167936 |
EndOfFile: | 312832 |
NumberOfLinks: | 2 |
DelPending: | False |
Directory: | False |
IndexNumber: | 0x200000006c5b8 |
EaSize: | 284 |
FileAccess: | Read Attributes, Synchronize |
Position: | 0 |
AccessMode: | Synchronous IO Non-Alert |
AlignReq: | Byte |
Length: | 70 |
Name: | \W |
evdata[0-108] file offset 2327187
0 | 12 00 00 00 5c 00 49 00 | ....\.I. |
8 | 70 08 06 00 09 00 00 00 | p....... |
16 | 68 00 00 00 00 00 00 00 | h....... |
24 | 12 00 00 00 00 00 00 00 | ........ |
32 | 90 f5 ad 3e 8b 8b ff ff | ...>.... |
40 | 00 00 00 00 00 00 00 00 | ........ |
48 | 00 00 00 00 00 00 00 00 | ........ |
56 | 00 00 00 00 00 00 00 00 | ........ |
64 | 25 80 c6 37 43 3a 5c 57 | %..7C:\W |
72 | 69 6e 64 6f 77 73 5c 53 | indows\S |
80 | 79 73 74 65 6d 33 32 5c | ystem32\ |
88 | 73 6d 61 72 74 73 63 72 | smartscr |
96 | 65 65 6e 70 73 2e 64 6c | eenps.dl |
104 | 6c 34 70 c1 91 | l4p.. |
evresults[0-103] file offset 2327298
0 | 22 d6 74 84 39 46 d7 01 | ".t.9F.. |
8 | 58 0e 74 ab 47 6a d8 01 | X.t.Gj.. |
16 | 8f 37 77 84 39 46 d7 01 | .7w.9F.. |
24 | 4a c6 86 dc 1a 46 d7 01 | J....F.. |
32 | 20 00 00 00 00 00 00 00 | ....... |
40 | 00 90 02 00 00 00 00 00 | ........ |
48 | 00 c6 04 00 00 00 00 00 | ........ |
56 | 02 00 00 00 00 00 00 00 | ........ |
64 | b8 c5 06 00 00 00 02 00 | ........ |
72 | 1c 01 00 00 80 00 10 00 | ........ |
80 | 00 00 00 00 00 00 00 00 | ........ |
88 | 20 00 00 00 00 00 00 00 | ....... |
96 | 46 00 00 00 5c 00 57 00 | F...\.W. |
Call Stack stacksize=29
StackAddress | mod | ModName | ModPath |
---|---|---|---|
0xfffff80434e8608c | 172 | FLTMGR.SYS + 0x608c | C:\WINDOWS\System32\drivers\FLTMGR.SYS |
0xfffff80434e85b37 | 172 | FLTMGR.SYS + 0x5b37 | C:\WINDOWS\System32\drivers\FLTMGR.SYS |
0xfffff80434e84b46 | 172 | FLTMGR.SYS + 0x4b46 | C:\WINDOWS\System32\drivers\FLTMGR.SYS |
0xfffff80434e848bb | 172 | FLTMGR.SYS + 0x48bb | C:\WINDOWS\System32\drivers\FLTMGR.SYS |
0xfffff80437c52f55 | 174 | ntoskrnl.exe + 0x252f55 | C:\WINDOWS\system32\ntoskrnl.exe |
0xfffff80437c7ae10 | 174 | ntoskrnl.exe + 0x27ae10 | C:\WINDOWS\system32\ntoskrnl.exe |
0xfffff8043800056f | 174 | ntoskrnl.exe + 0x60056f | C:\WINDOWS\system32\ntoskrnl.exe |
0xfffff80437e077b5 | 174 | ntoskrnl.exe + 0x4077b5 | C:\WINDOWS\system32\ntoskrnl.exe |
0x7ffc927ecf44 | |||
0x7ffc9053def4 | |||
0x7ffc4ed0673b | |||
0x7ffc4ed033da | |||
0x7ffc4ed0065a | |||
0x7ffc4e9a0aa6 | |||
0x7ffc4e80ae91 | |||
0x7ffc4e80aaeb | |||
0x7ffc4e80a95c | |||
0x7ffc4eb5ff2c | |||
0x7ffc4eb4d2ee | |||
0x7ffc4eb6f88f | |||
0x7ffc4eb1c6b3 | |||
0x7ffc4eb19e12 | |||
0x7ffc4eb1a1b5 | |||
0x7ffc4eb66541 | |||
0x7ffc4ec62370 | |||
0x7ffc927b2150 | |||
0x7ffc927a315a | |||
0x7ffc91c17034 | |||
0x7ffc927a2651 |
Advanced names
These events can also be queried with advop which varies based on d[12]. For d[12]=0x02 it is FASTIO_QUERY_INFORMATION, and for d[12]=0x09 it is either IRP_MJ_QUERY_INFORMATION or IRP_MN_QUERY_INFORMATION.
In some cases, viewer9 uses different field names than Procmon. In addition to those already mentioned in this article, other different Procmon field names are Access, AlignmentRequirement, AllocationSize, and Mode. There are no Length or Name fields in Procmon.
See also
Posted 4 Jul 2022 last updated 15 Nov 2022 As viewer9 is just starting out, discussion is invited via email. Please send questions and comments to forum@viewer9.com directly. Threads that might be valuable to other users will be posted as part of the documentation. Posted messages will not include your address or your full name, and might be shortened for brevity.
Copyright 2022, bryantlite, Inc.