viewer9 documentation

QueryInformationVolume PML Operations

All of these operations belong to opcode=3,30 and correspond to the different values of FsInformationClass in the Microsoft documentation for NtQueryVolumeInformationFile.

Although Procmon does not show it, the FsInformationClass is in the PML data at evdata[0] (see PML Binary Data and Results Offsets) and is provided by viewer9 in the FsInfoClass field. Not all of these operations have their evresults parsed into fields in viewer9, so for rare ones you can look up the evresults structure in the Microsoft documentation for NtQueryVolumeInformationFile.

In addition to FsInfoClass, a 32-bit BufferSize and hex Buffer address (neither shown in Procmon) are extracted from the data to give insights into the way the underlying API was called.

To find QueryInformationVolume PML operations not explicitly named with Op in viewer9, query opcode=3,30 FsInfoClass=FileXYZInformation.

QueryAttributeInformationVolume

FsInfoClass is FileFsAttributeInformation. FileSysAttr contains bit flags corresponding to Microsoft documentation for lpFileSystemFlags. MaxCompNameLen (aka "Maximum Component Name Length") is a 32-bit integer. FileSysName is the string name.

QueryControlInformationVolume

FsInfoClass is FileFsControlInformation. This operation returns 5 64-bit integers FreeSpaceStartFiltering, FreeSpaceThreshold, FreeSpaceStopFiltering, DefaultQuotaThreshold, DefaultQuotaLimit, and a bit flags field FileSystemControlFlags though the flags are not enumerated in viewer9 (e.g. FILE_VC_LOG_QUOTA_THRESHOLD, not to be confused with FsControl codes in FileSystemControl PML Operation) all explained in the Microsoft documentation for FILE_FS_CONTROL_INFORMATION.

QueryDeviceInformationVolume

FsInfoClass is FileFsDeviceInformation. DeviceType is an enumerated name for the type of device. Characteristics are bit flags for device characteristics.

QueryFullSizeInformationVolume

FsInfoClass is FileFsFullSizeInformation. There are five 32-bit integers: TotalAlloc, CallerAvail, ActualAvail, SectorsPerAlloc, BytesPerSector.

QueryInformationVolume

FsInfoClass is FileFsVolumeInformation. VolCreationTime is a timestamp. VolSerialNo is stored as a 32-bit integer but displayed as two 16-bit hex numbers separated by a dash. SupportsObjects is a 1-byte boolean. VolLabel is a string.

QueryObjectIdInformationVolume

FsInfoClass is FileFsObjectIdInformation. ObjectId is a 16-byte hex string 32 characters long.

QuerySizeInformationVolume

FsInfoClass is FileFsSizeInformation. There are four 32-bit integers: TotalAlloc, AvailAlloc, SectorsPerAlloc, BytesPerSector.

Example of QueryInformationVolume from 64-bit PML

Hover over field values like Time, ResultCode, VolCreationTime, and bytes of evdata and evresults in this example to see tooltips as they appear in viewer9. The tooltip of the first byte of a color patch tells the field name.

QueryInformationVolume opcode=3,30

ev=5339 advop=IRP_MJ_QUERY_VOLUME_INFORMATION

Time:2022-05-17 19:41:45.9258098
Duration:0.0000024
ResultCode:SUCCESS
Tid:6956
Path:C:\Windows\System32\smartscreenps.dll
FsInfoClass:FileFsVolumeInformation
BufferSize:24
Buffer:0xffff8b8b3e5ea330
VolCreationTime:2018-03-06 15:47:49.5880388
VolSerialNo:7c63-efb7
SupportsObjects:True

evdata[0-108] file offset 2326768

001 00 64 00 6f 00 77 00 ..d.o.w.
870 08 06 00 09 00 00 00 p.......
1618 00 00 00 00 00 00 00 ........
2401 00 00 00 00 00 00 00 ........
3230 a3 5e 3e 8b 8b ff ff 0.^>....
4000 00 00 00 00 00 00 00 ........
4800 00 00 00 00 00 00 00 ........
5600 00 00 00 00 00 00 00 ........
6425 80 00 00 43 3a 5c 57 %...C:\W
7269 6e 64 6f 77 73 5c 53 indows\S
8079 73 74 65 6d 33 32 5c ystem32\
8873 6d 61 72 74 73 63 72 smartscr
9665 65 6e 70 73 2e 64 6c eenps.dl
1046c bb 48 e8 34 l.H.4

evresults[0-23] file offset 2326879

0c4 02 a8 63 8c b5 d3 01 ...c....
8b7 ef 63 7c 00 00 00 00 ..c.....
1601 00 00 00 00 00 00 00 ........

Call Stack stacksize=29

StackAddressmodModNameModPath
0xfffff80434e8608c172FLTMGR.SYS + 0x608cC:\WINDOWS\System32\drivers\FLTMGR.SYS
0xfffff80434e85b37172FLTMGR.SYS + 0x5b37C:\WINDOWS\System32\drivers\FLTMGR.SYS
0xfffff80434e84b46172FLTMGR.SYS + 0x4b46C:\WINDOWS\System32\drivers\FLTMGR.SYS
0xfffff80434e848bb172FLTMGR.SYS + 0x48bbC:\WINDOWS\System32\drivers\FLTMGR.SYS
0xfffff80437c52f55174ntoskrnl.exe + 0x252f55C:\WINDOWS\system32\ntoskrnl.exe
0xfffff80437ffd928174ntoskrnl.exe + 0x5fd928C:\WINDOWS\system32\ntoskrnl.exe
0xfffff80437ff5602174ntoskrnl.exe + 0x5f5602C:\WINDOWS\system32\ntoskrnl.exe
0xfffff80437e077b5174ntoskrnl.exe + 0x4077b5C:\WINDOWS\system32\ntoskrnl.exe
0x7ffc927ed644
0x7ffc9053deb6
0x7ffc4ed0673b
0x7ffc4ed033da
0x7ffc4ed0065a
0x7ffc4e9a0aa6
0x7ffc4e80ae91
0x7ffc4e80aaeb
0x7ffc4e80a95c
0x7ffc4eb5ff2c
0x7ffc4eb4d2ee
0x7ffc4eb6f88f
0x7ffc4eb1c6b3
0x7ffc4eb19e12
0x7ffc4eb1a1b5
0x7ffc4eb66541
0x7ffc4ec62370
0x7ffc927b2150
0x7ffc927a315a
0x7ffc91c17034
0x7ffc927a2651

In some cases, viewer9 uses different field names than Procmon. In addition to those already mentioned in this article, other different Procmon field names are ActualAvailableAllocationUnits, CallerAvailableAllocationUnits, FileSystemAttributes, FileSystemName, MaximumComponentNameLength, SectorsPerAllocationUnit, TotalAllocationUnits, VolumeCreationTime, VolumeLabel, and VolumeSerialNumber.

See also

Posted 4 Jul 2022 last updated 15 Nov 2022   As viewer9 is just starting out, discussion is invited via email. Please send questions and comments to forum@viewer9.com directly. Threads that might be valuable to other users will be posted as part of the documentation. Posted messages will not include your address or your full name, and might be shortened for brevity.

Copyright 2022, bryantlite, Inc.