viewer9 documentation | Index Home |
QueryInformationVolume PML Operations
All of these operations belong to opcode=3,30 and correspond to the different values of FsInformationClass in the Microsoft documentation for NtQueryVolumeInformationFile.
Although Procmon does not show it, the FsInformationClass is in the PML data at evdata[0] (see PML Binary Data and Results Offsets) and is provided by viewer9 in the FsInfoClass field. Not all of these operations have their evresults parsed into fields in viewer9, so for rare ones you can look up the evresults structure in the Microsoft documentation for NtQueryVolumeInformationFile.
In addition to FsInfoClass, a 32-bit BufferSize and hex Buffer address (neither shown in Procmon) are extracted from the data to give insights into the way the underlying API was called.
To find QueryInformationVolume PML operations not explicitly named with Op in viewer9, query opcode=3,30 FsInfoClass=FileXYZInformation.
QueryAttributeInformationVolume
FsInfoClass is FileFsAttributeInformation. FileSysAttr contains bit flags corresponding to Microsoft documentation for lpFileSystemFlags. MaxCompNameLen (aka "Maximum Component Name Length") is a 32-bit integer. FileSysName is the string name.
QueryControlInformationVolume
FsInfoClass is FileFsControlInformation. This operation returns 5 64-bit integers FreeSpaceStartFiltering, FreeSpaceThreshold, FreeSpaceStopFiltering, DefaultQuotaThreshold, DefaultQuotaLimit, and a bit flags field FileSystemControlFlags though the flags are not enumerated in viewer9 (e.g. FILE_VC_LOG_QUOTA_THRESHOLD, not to be confused with FsControl codes in FileSystemControl PML Operation) all explained in the Microsoft documentation for FILE_FS_CONTROL_INFORMATION.
QueryDeviceInformationVolume
FsInfoClass is FileFsDeviceInformation. DeviceType is an enumerated name for the type of device. Characteristics are bit flags for device characteristics.
QueryFullSizeInformationVolume
FsInfoClass is FileFsFullSizeInformation. There are five 32-bit integers: TotalAlloc, CallerAvail, ActualAvail, SectorsPerAlloc, BytesPerSector.
QueryInformationVolume
FsInfoClass is FileFsVolumeInformation. VolCreationTime is a timestamp. VolSerialNo is stored as a 32-bit integer but displayed as two 16-bit hex numbers separated by a dash. SupportsObjects is a 1-byte boolean. VolLabel is a string.
QueryObjectIdInformationVolume
FsInfoClass is FileFsObjectIdInformation. ObjectId is a 16-byte hex string 32 characters long.
QuerySizeInformationVolume
FsInfoClass is FileFsSizeInformation. There are four 32-bit integers: TotalAlloc, AvailAlloc, SectorsPerAlloc, BytesPerSector.
Example of QueryInformationVolume from 64-bit PML
Hover over field values like Time, ResultCode, VolCreationTime, and bytes of evdata and evresults in this example to see tooltips as they appear in viewer9. The tooltip of the first byte of a color patch tells the field name.
QueryInformationVolume opcode=3,30
ev=5339 advop=IRP_MJ_QUERY_VOLUME_INFORMATION
Time: | 2022-05-17 19:41:45.9258098 |
Duration: | 0.0000024 |
ResultCode: | SUCCESS |
Tid: | 6956 |
Path: | C:\Windows\System32\smartscreenps.dll |
FsInfoClass: | FileFsVolumeInformation |
BufferSize: | 24 |
Buffer: | 0xffff8b8b3e5ea330 |
VolCreationTime: | 2018-03-06 15:47:49.5880388 |
VolSerialNo: | 7c63-efb7 |
SupportsObjects: | True |
evdata[0-108] file offset 2326768
0 | 01 00 64 00 6f 00 77 00 | ..d.o.w. |
8 | 70 08 06 00 09 00 00 00 | p....... |
16 | 18 00 00 00 00 00 00 00 | ........ |
24 | 01 00 00 00 00 00 00 00 | ........ |
32 | 30 a3 5e 3e 8b 8b ff ff | 0.^>.... |
40 | 00 00 00 00 00 00 00 00 | ........ |
48 | 00 00 00 00 00 00 00 00 | ........ |
56 | 00 00 00 00 00 00 00 00 | ........ |
64 | 25 80 00 00 43 3a 5c 57 | %...C:\W |
72 | 69 6e 64 6f 77 73 5c 53 | indows\S |
80 | 79 73 74 65 6d 33 32 5c | ystem32\ |
88 | 73 6d 61 72 74 73 63 72 | smartscr |
96 | 65 65 6e 70 73 2e 64 6c | eenps.dl |
104 | 6c bb 48 e8 34 | l.H.4 |
evresults[0-23] file offset 2326879
0 | c4 02 a8 63 8c b5 d3 01 | ...c.... |
8 | b7 ef 63 7c 00 00 00 00 | ..c..... |
16 | 01 00 00 00 00 00 00 00 | ........ |
Call Stack stacksize=29
StackAddress | mod | ModName | ModPath |
---|---|---|---|
0xfffff80434e8608c | 172 | FLTMGR.SYS + 0x608c | C:\WINDOWS\System32\drivers\FLTMGR.SYS |
0xfffff80434e85b37 | 172 | FLTMGR.SYS + 0x5b37 | C:\WINDOWS\System32\drivers\FLTMGR.SYS |
0xfffff80434e84b46 | 172 | FLTMGR.SYS + 0x4b46 | C:\WINDOWS\System32\drivers\FLTMGR.SYS |
0xfffff80434e848bb | 172 | FLTMGR.SYS + 0x48bb | C:\WINDOWS\System32\drivers\FLTMGR.SYS |
0xfffff80437c52f55 | 174 | ntoskrnl.exe + 0x252f55 | C:\WINDOWS\system32\ntoskrnl.exe |
0xfffff80437ffd928 | 174 | ntoskrnl.exe + 0x5fd928 | C:\WINDOWS\system32\ntoskrnl.exe |
0xfffff80437ff5602 | 174 | ntoskrnl.exe + 0x5f5602 | C:\WINDOWS\system32\ntoskrnl.exe |
0xfffff80437e077b5 | 174 | ntoskrnl.exe + 0x4077b5 | C:\WINDOWS\system32\ntoskrnl.exe |
0x7ffc927ed644 | |||
0x7ffc9053deb6 | |||
0x7ffc4ed0673b | |||
0x7ffc4ed033da | |||
0x7ffc4ed0065a | |||
0x7ffc4e9a0aa6 | |||
0x7ffc4e80ae91 | |||
0x7ffc4e80aaeb | |||
0x7ffc4e80a95c | |||
0x7ffc4eb5ff2c | |||
0x7ffc4eb4d2ee | |||
0x7ffc4eb6f88f | |||
0x7ffc4eb1c6b3 | |||
0x7ffc4eb19e12 | |||
0x7ffc4eb1a1b5 | |||
0x7ffc4eb66541 | |||
0x7ffc4ec62370 | |||
0x7ffc927b2150 | |||
0x7ffc927a315a | |||
0x7ffc91c17034 | |||
0x7ffc927a2651 |
In some cases, viewer9 uses different field names than Procmon. In addition to those already mentioned in this article, other different Procmon field names are ActualAvailableAllocationUnits, CallerAvailableAllocationUnits, FileSystemAttributes, FileSystemName, MaximumComponentNameLength, SectorsPerAllocationUnit, TotalAllocationUnits, VolumeCreationTime, VolumeLabel, and VolumeSerialNumber.
See also
Posted 4 Jul 2022 last updated 15 Nov 2022 As viewer9 is just starting out, discussion is invited via email. Please send questions and comments to forum@viewer9.com directly. Threads that might be valuable to other users will be posted as part of the documentation. Posted messages will not include your address or your full name, and might be shortened for brevity.
Copyright 2022, bryantlite, Inc.