| viewer9 documentation | Index Home |
ReadFile PML Operation
IoFlags ("I/O Flags" in Procmon) and Priority are bit flags fields. Size ("Length" in Procmon except on ResultCode SUCCESS, when BytesRead is "Length" in Procmon) is a 32-bit integer indicating the maximum number of bytes to read. Offset is a 64-bit integer. Address (not displayed in Procmon) is a memory address observed in the data that might reflect something about the way the API was called, and it is displayed in hex.
BytesRead ("Length" in Procmon only on ResultCode SUCCESS, as mentioned above) is a 32-bit integer in evresults.
Example from 64-bit PML
Hover over field values like Time, ResultCode, IoFlags, Priority, and bytes of evdata and evresults in this example to see tooltips as they appear in viewer9. The tooltip of the first byte of a color patch tells the field name.
ReadFile opcode=3,23
ev=176 advop=IRP_MJ_READ fileread=32768 B
| Time: | 2022-05-17 19:41:45.6025184 |
| Duration: | 0.0023934 |
| ResultCode: | SUCCESS |
| Tid: | 912 |
| Path: | C:\Windows\Fonts\micross.ttf |
| IoFlags: | Non-cached, Paging I/O, Synchronous Paging I/O |
| Priority: | Normal |
| Size: | 32768 |
| Offset: | 245760 |
| Address: | 0xffff8b8b35ae6340 |
| BytesRead: | 32768 |
evdata[0-97] file offset 31986
| 0 | 00 10 00 00 00 00 00 00 | ........ |
| 8 | 43 00 06 00 01 00 00 00 | C....... |
| 16 | 00 80 00 00 00 00 00 00 | ........ |
| 24 | 00 00 00 00 00 00 00 00 | ........ |
| 32 | 00 c0 03 00 00 00 00 00 | ........ |
| 40 | 00 00 00 00 00 00 00 00 | ........ |
| 48 | 40 63 ae 35 8b 8b ff ff | @c.5.... |
| 56 | 00 00 00 00 00 00 00 00 | ........ |
| 64 | 1c 80 70 00 43 3a 5c 57 | ..p.C:\W |
| 72 | 69 6e 64 6f 77 73 5c 46 | indows\F |
| 80 | 6f 6e 74 73 5c 6d 69 63 | onts\mic |
| 88 | 72 6f 73 73 2e 74 74 66 | ross.ttf |
| 96 | 79 92 | y. |
evresults[0-7] file offset 32086
| 0 | 00 80 00 00 00 00 00 00 | ........ |
Call Stack stacksize=20
| StackAddress | mod | ModName | ModPath |
|---|---|---|---|
| 0xfffff80434e8608c | 172 | FLTMGR.SYS + 0x608c | C:\WINDOWS\System32\drivers\FLTMGR.SYS |
| 0xfffff80434e85b37 | 172 | FLTMGR.SYS + 0x5b37 | C:\WINDOWS\System32\drivers\FLTMGR.SYS |
| 0xfffff80434e84b46 | 172 | FLTMGR.SYS + 0x4b46 | C:\WINDOWS\System32\drivers\FLTMGR.SYS |
| 0xfffff80434e848bb | 172 | FLTMGR.SYS + 0x48bb | C:\WINDOWS\System32\drivers\FLTMGR.SYS |
| 0xfffff80437c52f55 | 174 | ntoskrnl.exe + 0x252f55 | C:\WINDOWS\system32\ntoskrnl.exe |
| 0xfffff80437c80d77 | 174 | ntoskrnl.exe + 0x280d77 | C:\WINDOWS\system32\ntoskrnl.exe |
| 0xfffff80437cb6f0a | 174 | ntoskrnl.exe + 0x2b6f0a | C:\WINDOWS\system32\ntoskrnl.exe |
| 0xfffff80437cb4a0d | 174 | ntoskrnl.exe + 0x2b4a0d | C:\WINDOWS\system32\ntoskrnl.exe |
| 0xfffff80437c0c9c8 | 174 | ntoskrnl.exe + 0x20c9c8 | C:\WINDOWS\system32\ntoskrnl.exe |
| 0xfffff80437e03f5e | 174 | ntoskrnl.exe + 0x403f5e | C:\WINDOWS\system32\ntoskrnl.exe |
| 0x7ff72b7d9cbb | 493 | fontdrvhost.exe + 0x9cbb | C:\WINDOWS\system32\fontdrvhost.exe |
| 0x7ff72b7d926d | 493 | fontdrvhost.exe + 0x926d | C:\WINDOWS\system32\fontdrvhost.exe |
| 0x7ff72b7d7c48 | 493 | fontdrvhost.exe + 0x7c48 | C:\WINDOWS\system32\fontdrvhost.exe |
| 0x7ff72b7d5e8a | 493 | fontdrvhost.exe + 0x5e8a | C:\WINDOWS\system32\fontdrvhost.exe |
| 0x7ff72b7d5c1f | 493 | fontdrvhost.exe + 0x5c1f | C:\WINDOWS\system32\fontdrvhost.exe |
| 0x7ff72b7d59ed | 493 | fontdrvhost.exe + 0x59ed | C:\WINDOWS\system32\fontdrvhost.exe |
| 0x7ff72b7e36bb | 493 | fontdrvhost.exe + 0x136bb | C:\WINDOWS\system32\fontdrvhost.exe |
| 0x7ff72b7fd29b | 493 | fontdrvhost.exe + 0x2d29b | C:\WINDOWS\system32\fontdrvhost.exe |
| 0x7ffc91c17034 | 70 | KERNEL32.DLL + 0x17034 | C:\WINDOWS\System32\KERNEL32.DLL |
| 0x7ffc927a2651 | 77 | ntdll.dll + 0x52651 | C:\WINDOWS\SYSTEM32\ntdll.dll |
Advanced names
ReadFile events can also be queried with advop which varies based on evdata[12] (see PML Binary Data and Results Offsets):
- FASTIO_READ evdata[12]=0x02
- IRP_MJ_READ evdata[12]=0x01
See also
Posted 4 Jul 2022 last updated 15 Nov 2022 As viewer9 is just starting out, discussion is invited via email. Please send questions and comments to forum@viewer9.com directly. Threads that might be valuable to other users will be posted as part of the documentation. Posted messages will not include your address or your full name, and might be shortened for brevity.
Copyright 2022, bryantlite, Inc.