Process Hacker Discussion Forum

 
wfunction
Member
Posts: 147
Joined: 19 Mar 2011 20:17

How to call FSCTL_FILE_PREFETCH?

16 Jul 2012 08:08

Do you guys happen to know what the I/O parameters to FSCTL_FILE_PREFETCH are?

I can see this in WinIoCtl:
typedef struct _FILE_PREFETCH {
    DWORD Type;
    DWORD Count;
    DWORDLONG Prefetch[1];
} FILE_PREFETCH, *PFILE_PREFETCH;

typedef struct _FILE_PREFETCH_EX {
    DWORD Type;
    DWORD Count;
    PVOID Context;
    DWORDLONG Prefetch[1];
} FILE_PREFETCH_EX, *PFILE_PREFETCH_EX;

#define FILE_PREFETCH_TYPE_FOR_CREATE       0x1
#define FILE_PREFETCH_TYPE_FOR_DIRENUM      0x2
#define FILE_PREFETCH_TYPE_FOR_CREATE_EX    0x3
#define FILE_PREFETCH_TYPE_FOR_DIRENUM_EX   0x4
so I'm guessing the input buffer to NtFsControlFile is something that includes FILE_PREFETCH, but what is it, exactly? And what's the output? What is the Prefetch[] array an array of? (Offsets? Lengths?) How do you use it? etc.
 
User avatar
dmex
Admin
Posts: 1698
Joined: 17 Jan 2011 05:43

Re: How to call FSCTL_FILE_PREFETCH?

16 Jul 2012 08:38

wfunction wrote:
so I'm guessing the input buffer to NtFsControlFile is something that includes FILE_PREFETCH, but what is it, exactly? And what's the output? What is the Prefetch[] array an array of? (Offsets? Lengths?) How do you use it? etc.
This post mentions how to find out how it works: http://stackoverflow.com/questions/2135 ... ad-syscall
Just start an application in the debugger that already has a .pf file in the c:\Windows\Prefetch directory and break on DeviceIoControl (or if you're using a kernel debugger, break when the NTFS driver receives its first FSCTL_FILE_PREFETCH). Examine the buffer passed in and compare it with the .pf file and the range actually used later. I did this once out of curiosity but didn't record the details.
 
wfunction
Member
Posts: 147
Joined: 19 Mar 2011 20:17

Re: How to call FSCTL_FILE_PREFETCH?

16 Jul 2012 14:38

I've seen that post, but it's not helpful... it's not the app that calls FSCTL_FILE_PREFETCH normally, but the system. So you'd need a kernel debugger (which I have no idea how to use).
 
User avatar
dmex
Admin
Posts: 1698
Joined: 17 Jan 2011 05:43

Re: How to call FSCTL_FILE_PREFETCH?

16 Jul 2012 16:57

wfunction wrote:
I've seen that post, but it's not helpful... it's not the app that calls FSCTL_FILE_PREFETCH normally, but the system. So you'd need a kernel debugger (which I have no idea how to use).
Not sure about usage but you do need to enable the SE_MANAGE_VOLUME_NAME privilege :thinking:
 
User avatar
wj32
Founder
Posts: 948
Joined: 17 Jan 2011 05:19
OS: Windows
Contact:

Re: How to call FSCTL_FILE_PREFETCH?

17 Jul 2012 07:56

My guess (from looking at various things) is that each ULONGLONG is an offset into the file. I'm also going to guess that it prefetches a page at a time, so don't bother giving it consecutive addresses.
 
wfunction
Member
Posts: 147
Joined: 19 Mar 2011 20:17

Re: How to call FSCTL_FILE_PREFETCH?

17 Jul 2012 14:44

Thanks for the info! I'll play around with it a bit.
 
bionicbeagle
New User
Posts: 1
Joined: 07 Mar 2014 18:22
OS: Windows 8.1 64bit

Re: How to call FSCTL_FILE_PREFETCH?

07 Mar 2014 18:25

I've been looking into this as well. By adjusting my process privileges I can call the function without getting Access Denied (which you get if you don't), but the test parameters I've tried (offset, length pairs) only yields error 0x57 (The parameter is incorrect).

Does anyone know what the parameter block should look like? I want to use this for some in-house tools where we know our I/O access pattern well, and I cannot require Windows 8 or I would use the PrefetchVirtualMemory() function instead of trying to figure out this undocumented/unsupported IOCTL.