viewer9 documentation

QueryInformationFile PML Operations

All of these operations belong to opcode=3,25 and correspond to the different FileInformationClass values in the Microsoft documentation for NtQueryInformationFile.

Although Procmon does not show it, the FileInformationClass is in the PML data at evdata[0] (see PML Binary Data and Results Offsets) and is provided by viewer9 in the FileInfoClass field. Not all of these operations have their evresults parsed into fields in viewer9, so for rare ones you can look up the evresults structure in the Microsoft documentation for NtQueryInformationFile (see how to do this in QueryCaseSensitiveInformation and QueryCompressionInformationFile below).

In addition to FileInfoClass, a 32-bit BufferSize and hex Buffer address (neither shown in Procmon) are extracted from the data to give insights into the way the underlying API was called.

To find QueryInformationFile PML operations not explicitly named with Op in viewer9, query opcode=3,25 FileInfoClass=FileXYZInformation.

QueryAllInformationFile

FileInfoClass is FileAllInformation. This operation is named "All" because it returns a lot of the same fields as the other QueryInformationFile operations, so field descriptions will not be duplicated here. An example of a QueryAllInformationFile event is after the descriptions of the other operations below.

QueryAttributeTagFile

FileInfoClass is FileAttributeTagInformation.

FileAttributes is mostly enumerated in short-form, for example A instead of FILE_ATTRIBUTE_ARCHIVE:

0x1, "R", // FILE_ATTRIBUTE_READONLY 0x2, "H", // FILE_ATTRIBUTE_HIDDEN 0x4, "S", // FILE_ATTRIBUTE_SYSTEM 0x10, "D", // FILE_ATTRIBUTE_DIRECTORY 0x20, "A", // FILE_ATTRIBUTE_ARCHIVE 0x40, "FILE_ATTRIBUTE_DEVICE", // no short-form 0x80, "N", // FILE_ATTRIBUTE_NORMAL 0x100, "T", // FILE_ATTRIBUTE_TEMPORARY 0x200, "SF", // FILE_ATTRIBUTE_SPARSE_FILE 0x400, "RP", // FILE_ATTRIBUTE_REPARSE_POINT 0x800, "C", // FILE_ATTRIBUTE_COMPRESSED 0x1000, "O", // FILE_ATTRIBUTE_OFFLINE 0x2000, "NCI", // FILE_ATTRIBUTE_NOT_CONTENT_INDEXED 0x4000, "E", // FILE_ATTRIBUTE_ENCRYPTED 0x8000, "IS", // FILE_ATTRIBUTE_INTEGRITY_STREAM

ReparseTag is a 32-bit integer displayed in hex.

QueryBasicInformationFile

FileInfoClass is FileBasicInformation. FileAttributes is described above, and there are 4 timestamps: CreationTime, LastAccessTime, LastWriteTime, ChangeTime.

QueryCaseSensitiveInformation

FileInfoClass is FileCaseSensitiveInformation.

This is an example of an operation not completely implemented in viewer9, so here is a description of how to examine this event data further (and illustrate the process for any QueryInformationFile operation):

Searching on "NtQueryInformationFile FileCaseSensitiveInformation" brings you to the FILE_CASE_SENSITIVE_INFORMATION struct, which is the structure of evresultsfor this operation in the PML file. It only has one member, a 32-bit (4-byte) ULONG integer Flags. A bit of deduction suggests Flags can be 0 or 1 if it is a case-sensitive directory.

Since it is only 1 or 0, it can be accessed with just the first byte of evresults, i.e. evresults[0]. For example, it can be queried with Op=QueryCaseSensitiveInformation evresults[0].

QueryCompressionInformationFile

FileInfoClass is FileCompressionInformation.

This is another example of an operation not completely implemented/parsed in viewer9. Searching on "NtQueryInformationFile FileCompressionInformation" brings you to the FILE_COMPRESSION_INFORMATION struct for the evresults section. Hovering the mouse over the evresults in the event view will give you:

evresults[0] CompressedFileSize (8 bytes) evresults[8] CompressionFormat (2 bytes) evresults[10] CompressionUnitShift (1 byte) evresults[11] ChunkShift (1 byte) evresults[12] ClusterShift (1 byte)

QueryEaInformationFile

FileInfoClass is FileEaInformation. EaSize is a 32-bit integer.

QueryFileInternalInformationFile

FileInfoClass is FileInternalInformation. IndexNumber is a 64-bit number.

QueryIdInformation

FileInfoClass is FileIdInformation.

QueryNameInformationFile

FileInfoClass is FileNameInformation.

QueryNetworkOpenInformationFile

FileInfoClass is FileNetworkOpenInformation. FileAttributes is described above, AllocSize and EndOfFile are 64-bit, and there are 4 timestamps: CreationTime LastAccessTime LastWriteTime ChangeTime.

QueryNetworkPhysicalNameInformationFile

FileInfoClass is FileNetworkPhysicalNameInformation.

QueryNormalizedNameInformationFile

FileInfoClass is FileNormalizedNameInformation.

QueryPositionInformationFile

FileInfoClass is FilePositionInformation. Position is a 64-bit integer.

QueryRemoteProtocolInformation

FileInfoClass is FileRemoteProtocolInformation.

QueryStandardInformationFile

FileInfoClass is FileStandardInformation. AllocSize and EndOfFile are 64-bit, NumberOfLinks is 32-bit, DelPending and Directory are 1-byte flags.

QueryStandardLinkInformation

FileInfoClass is FileStandardLinkInformation.

QueryStatInformation

FileInfoClass is FileStatInformation.

QueryStreamInformationFile

FileInfoClass is FileStreamInformation. This operation is for Alternate Data Streams (ADS). The fields are 64-bit StreamSize (not displayed in Procmon), 64-bit AllocSize, and Streams, which is a list of the stream filenames (shown as a numbered list in the Procmon detail, rather than under a single label). Note that sometimes Procmon does not display the last stream, but viewer9 does (see Procmon Bug: QueryStreamInformationFile Alternate Data Stream).

Example of QueryAllInformationFile from 64-bit PML

Hover over field values like Time, ResultCode, timestamps, FileAttributes, FileAccess, AccessMode, AlignReq, Length, and bytes of evdata in this example to see tooltips as they appear in viewer9. The tooltip of the first byte of a color patch tells the field name.

QueryAllInformationFile opcode=3,25

ev=5340 advop=IRP_MJ_QUERY_INFORMATION

Time:2022-05-17 19:41:45.9258243
Duration:0.0000055
ResultCode:BUFFER OVERFLOW
Tid:6956
Path:C:\Windows\System32\smartscreenps.dll
FileInfoClass:FileAllInformation
BufferSize:104
Buffer:0xffff8b8b3eadf590
CreationTime:2021-05-11 03:44:48.0048674
LastAccessTime:2022-05-17 19:41:45.9161688
LastWriteTime:2021-05-11 03:44:48.0204687
ChangeTime:2021-05-11 00:05:21.3633098
FileAttributes:A
AllocSize:167936
EndOfFile:312832
NumberOfLinks:2
DelPending:False
Directory:False
IndexNumber:0x200000006c5b8
EaSize:284
FileAccess:Read Attributes, Synchronize
Position:0
AccessMode:Synchronous IO Non-Alert
AlignReq:Byte
Length:70
Name:\W

evdata[0-108] file offset 2327187

012 00 00 00 5c 00 49 00 ....\.I.
870 08 06 00 09 00 00 00 p.......
1668 00 00 00 00 00 00 00 h.......
2412 00 00 00 00 00 00 00 ........
3290 f5 ad 3e 8b 8b ff ff ...>....
4000 00 00 00 00 00 00 00 ........
4800 00 00 00 00 00 00 00 ........
5600 00 00 00 00 00 00 00 ........
6425 80 c6 37 43 3a 5c 57 %..7C:\W
7269 6e 64 6f 77 73 5c 53 indows\S
8079 73 74 65 6d 33 32 5c ystem32\
8873 6d 61 72 74 73 63 72 smartscr
9665 65 6e 70 73 2e 64 6c eenps.dl
1046c 34 70 c1 91 l4p..

evresults[0-103] file offset 2327298

022 d6 74 84 39 46 d7 01 ".t.9F..
858 0e 74 ab 47 6a d8 01 X.t.Gj..
168f 37 77 84 39 46 d7 01 .7w.9F..
244a c6 86 dc 1a 46 d7 01 J....F..
3220 00 00 00 00 00 00 00 .......
4000 90 02 00 00 00 00 00 ........
4800 c6 04 00 00 00 00 00 ........
5602 00 00 00 00 00 00 00 ........
64b8 c5 06 00 00 00 02 00 ........
721c 01 00 00 80 00 10 00 ........
8000 00 00 00 00 00 00 00 ........
8820 00 00 00 00 00 00 00 .......
9646 00 00 00 5c 00 57 00 F...\.W.

Call Stack stacksize=29

StackAddressmodModNameModPath
0xfffff80434e8608c172FLTMGR.SYS + 0x608cC:\WINDOWS\System32\drivers\FLTMGR.SYS
0xfffff80434e85b37172FLTMGR.SYS + 0x5b37C:\WINDOWS\System32\drivers\FLTMGR.SYS
0xfffff80434e84b46172FLTMGR.SYS + 0x4b46C:\WINDOWS\System32\drivers\FLTMGR.SYS
0xfffff80434e848bb172FLTMGR.SYS + 0x48bbC:\WINDOWS\System32\drivers\FLTMGR.SYS
0xfffff80437c52f55174ntoskrnl.exe + 0x252f55C:\WINDOWS\system32\ntoskrnl.exe
0xfffff80437c7ae10174ntoskrnl.exe + 0x27ae10C:\WINDOWS\system32\ntoskrnl.exe
0xfffff8043800056f174ntoskrnl.exe + 0x60056fC:\WINDOWS\system32\ntoskrnl.exe
0xfffff80437e077b5174ntoskrnl.exe + 0x4077b5C:\WINDOWS\system32\ntoskrnl.exe
0x7ffc927ecf44
0x7ffc9053def4
0x7ffc4ed0673b
0x7ffc4ed033da
0x7ffc4ed0065a
0x7ffc4e9a0aa6
0x7ffc4e80ae91
0x7ffc4e80aaeb
0x7ffc4e80a95c
0x7ffc4eb5ff2c
0x7ffc4eb4d2ee
0x7ffc4eb6f88f
0x7ffc4eb1c6b3
0x7ffc4eb19e12
0x7ffc4eb1a1b5
0x7ffc4eb66541
0x7ffc4ec62370
0x7ffc927b2150
0x7ffc927a315a
0x7ffc91c17034
0x7ffc927a2651

Advanced names

These events can also be queried with advop which varies based on d[12]. For d[12]=0x02 it is FASTIO_QUERY_INFORMATION, and for d[12]=0x09 it is either IRP_MJ_QUERY_INFORMATION or IRP_MN_QUERY_INFORMATION.

In some cases, viewer9 uses different field names than Procmon. In addition to those already mentioned in this article, other different Procmon field names are Access, AlignmentRequirement, AllocationSize, and Mode. There are no Length or Name fields in Procmon.

See also

Posted 4 Jul 2022 last updated 15 Nov 2022   As viewer9 is just starting out, discussion is invited via email. Please send questions and comments to forum@viewer9.com directly. Threads that might be valuable to other users will be posted as part of the documentation. Posted messages will not include your address or your full name, and might be shortened for brevity.

Copyright 2022, bryantlite, Inc.