Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Enabling "write watch" for a mapped region.

65 views
Skip to first unread message

gleaves@hotmail.com > <hugh<underbar>

unread,
Dec 30, 2009, 12:29:02 PM12/30/09
to

I've been exploring ways to enable write watch on a file mapping, so far with
no success.

Now this is looking like it is probably not possible, I tried

a) Calling VirtualAlloc before doing the mapping call, but this approach
fails.
b) Passing MEM_WRITE_WATCH into MapViewOfFile, again no success.
c) Calling NtMapViewOfSection (its second to last arg set to MEM_WRITE_WATCH).

and that too fails (status = invalid parameter '9' (0xC00000F7 ).

This could be a very useful feature if it were possible, but it looks like
it may not be, does anyone have a view or a way to do this?

Thax
Hugo


Don Burn

unread,
Dec 30, 2009, 12:42:48 PM12/30/09
to
It is not possible. I've been looking at how to track memory writes in
Windows for the last 15 years, bottom line is that is not supported for any
general case.


--
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply

"Hugo gle...@hotmail.com>" <hugh<underbar> wrote in message
news:BD424BE9-457B-460B...@microsoft.com...

> __________ Information from ESET NOD32 Antivirus, version of virus
> signature database 4730 (20091230) __________
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>

__________ Information from ESET NOD32 Antivirus, version of virus signature database 4730 (20091230) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com


gleaves@hotmail.com > <hugh<underbar>

unread,
Dec 30, 2009, 1:39:01 PM12/30/09
to
Hi Don

But surely it is possible (if the address space is allocated using
VirtualAlloc) because that particular call will accept the MEM_WRITE_WATCH
flag? I guess you are seeking something more general though as you said.

Don, as a very experienced and highly regarded authority in this area, is
there no hope of influencing MS in some way?

If you were to sit down with a couple of their gurus, how would you suggest
that this page fault/access/write trapping capability, be implemented without
causing undue hassle, what (in other words) would you like this capability to
"look like"?

Kernel mode only or generally available to user mode coders (like little old
me)?

Thanks
Hugh


"Don Burn" wrote:

> .
>

Don Burn

unread,
Dec 30, 2009, 3:03:26 PM12/30/09
to
Hugo,

I have sat down with their guru's and pointed out the value of this for
many things, the general feeling is that it is not worth it. At the time I
was suggesting a kernel only model (you can always build a user space model
on top of that).

The only good news is that hyper-v folks seem to be leaning this way,
at least according to some of their papers. Whether it is enough for ones
interest is hard to say.


--
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply

"Hugo gle...@hotmail.com>" <hugh<underbar> wrote in message

news:DC0B6E0A-8274-499E...@microsoft.com...

Alexander Grigoriev

unread,
Dec 30, 2009, 3:14:00 PM12/30/09
to
Does VirtualProtect work on file-mapped pages?

"Don Burn" <bu...@stopspam.windrvr.com> wrote in message
news:u0p%23qsYiK...@TK2MSFTNGP06.phx.gbl...

Don Burn

unread,
Dec 30, 2009, 3:40:36 PM12/30/09
to
MIcrosoft claims you can, but I don't know if MEM_WRITE_WATCH works, they
only clam the PAGE_XXX constants in the doc's. These do not work for data
mapped from a driver into a user process.


--
Don Burn (MVP, Windows DKD)
Windows Filesystem and Driver Consulting
Website: http://www.windrvr.com
Blog: http://msmvps.com/blogs/WinDrvr
Remove StopSpam to reply


"Alexander Grigoriev" <al...@earthlink.net> wrote in message
news:OpBCiyYi...@TK2MSFTNGP06.phx.gbl...

Alexander Grigoriev

unread,
Dec 30, 2009, 4:40:20 PM12/30/09
to
Write watch can be simulated by mapping the pages R/O, and catching the
write exception, then changing the protection to R/W.

"Don Burn" <bu...@stopspam.windrvr.com> wrote in message

news:ujvPcBZi...@TK2MSFTNGP06.phx.gbl...

gleaves@hotmail.com > <hugh<underbar>

unread,
Dec 31, 2009, 10:11:01 AM12/31/09
to

Yes this does work for mapped pages whether backed by a file or paging area.

Yes one can make the pages read-only and then trap the exception verify its
cause etc and enable read-write access, I have done this succefully too.

One could use that as a basis for write-watch but with the real write watch
there is no need for an exception handler. Also with write-watch the OS
tracks the pages that have been written to on its own, and this is the
metadata that is queried with GetWriteWatch (or whatever its called).

I guess this must be tracked per-process and could thus be stored in the
process/user heap until queried by some API.

H

"Alexander Grigoriev" wrote:

> .
>

0 new messages