Hi guys...
Our team use Procmon a lot for troubleshooting issues.. I always get confused on different IRP messages that I see in the traces. The effort here is to map the common IRP messages and what it exactly means in a normal sense..
It will take an edit or two to take this document to an acceptable level.. so keep watching.. :-)
To Start with.. I have captured couple of points from here from MSDN
IRP_MJ_CREATE
The I/O Manager sends the IRP_MJ_CREATE request when a new file or directory is being created, or when an existing file, device, directory, or volume is being opened. Normally this IRP is sent on behalf of a user-mode application that has called a Microsoft Win32 function such as CreateFile or on behalf of a kernel-mode component that has called IoCreateFile, IoCreateFileSpecifyDeviceObjectHint, ZwCreateFile, or ZwOpenFile. If the create request is completed successfully, the application or kernel-mode component receives a handle to the file object.
IRP_MJ_CLEANUP
Receipt of the IRP_MJ_CLEANUP request indicates that the handle reference count on a file object has reached zero. (In other words, all handles to the file object have been closed.) Often it is sent when a user-mode application has called the Microsoft Win32 CloseHandle function (or when a kernel-mode driver has called ZwClose) on the last outstanding handle to a file object.
It is important to note that when all handles to a file object have been closed, this does not necessarily mean that the file object is no longer being used. System components, such as the Cache Manager and the Memory Manager, might hold outstanding references to the file object. These components can still read to or write from a file, even after an IRP_MJ_CLEANUP request is received.
IRP_MJ_CLOSE
Receipt of the IRP_MJ_CLOSE request indicates that the reference count on a file object has reached zero, usually because a file system driver or other kernel-mode component has called ObDereferenceObject on the file object. This request normally follows a cleanup request. However, this does not necessarily mean that the close request will be received immediately after the cleanup request.
The IRP_MJ_DIRECTORY_CONTROL request is sent by the I/O Manager and other operating system components, as well as other kernel-mode drivers. It can be sent, for example, when a user-mode application has called a Microsoft Win32 function such as ReadDirectoryChangesW or FindNextVolumeMountPoint or when a kernel-mode component has called ZwQueryDirectoryFile.
IRP_MJ_WRITE
The IRP_MJ_WRITE request is sent by the I/O Manager or by a file system driver. This request can be sent, for example, when a user-mode application has called a Microsoft Win32 function such as WriteFile or when a kernel-mode component has called ZwWriteFile.
IRP_MJ_READ
The IRP_MJ_READ request is sent by the I/O Manager or by a file system driver. This request can be sent, for example, when a user-mode application has called a Microsoft Win32 function such as ReadFile, or when a kernel-mode component has called ZwReadFile.
No comments:
Post a Comment