Home > Developer > Windows

File deleted three paths under Windows (lightweight)

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more > 

the three methods of general deletion of files are more familiar. #defineFile_delete_on_close 0x00001000@1Nt/zwcreatefile nt/Zwopenfile fill openpacket structure, Mark File_delete_on_close (WRK) @2nt/Zwdeletefile fill openpacket structure, Mark File_delete_on_close (WRK) @3Nt/zwsetinformationfile using Filedispositioninformation (enum0d== -) IoCallDriver (DeviceObject, IRP); XP WIN7 cmd in del command complete stack backtracking del C #41: kd>KVN # ChildEBP RetAddr Args to ChildxxB1dd2cb0 804E23C98210202081fde1e8 81fde1f8 ntfs!ntfsfsdsetinformation (FPO: [non-Fpo]) onB1DD2CC0 805dc2c1 b1dd2d64 0013efd0 805804ed nt! iopfcalldriver+0x31(FPO: [0,0,0]) GenevaB1dd2d48 804de98f000000900013f010 0013f033 nt! Ntsetinformationfile+0x533(FPO: [non-Fpo])GenevaB1dd2d48 7c92e514000000900013f010 0013f033 nt! kifastcallentry+0XFC(FPO: [0,0] Trapframe @ b1dd2d64)Geneva0013efb0 7c92dc6a 7c832054000000900013f010 ntdll! Kifastsystemcallret (FPO: [0,0,0]) to0013EFB4 7c832054000000900013f010 0013f033 ntdll! Ntsetinformationfile+0xc(FPO: [5,0,0]) .0013f028 4ad17d07 0113f050 0015d990 001591c0 kernel32! deletefilew+0x23f(FPO: [non-Fpo]) -0013f46c 4AD08FC1 001591c0 0015d99000000000Cmd! Newerasefile+0x1b2(FPO: [non-Fpo]) ,0013f6d4 4ad09148 001591c000000000 00000006Cmd! expandandapplytofs+0x22a(FPO: [non-Fpo]) the0013f774 4ad0937c 001591c000000000 00000006Cmd! Walktree+0x40(FPO: [non-Fpo]) 0a 0013f9d0 4ad092df 0013f9e8 0015a0c8 0015913c cmd! delpatterns+0x6a(FPO: [non-Fpo]) 0b 0013fc60 4ad091a3 0015a060 0013fe9c 4ad05a92 cmd! delwork+0x13c(FPO: [non-Fpo]) 0c 0013fc6c 4ad05a92 0015a0c8000000000015a0c8 cmd!edelete+0x10(FPO: [non-Fpo]) 0d 0013fe9c 4ad013eb 0015a0c8 0015a0c800000002Cmd! findfixandrun+0x1f5(FPO: [non-Fpo]) 0e 0013fee0 4ad0f13800000000 00000001 00000000Cmd! dispatch+0x137(FPO: [non-Fpo]) 0f 0013ff44 4ad0515400000001 0003406800032bf8 cmd!main+0x216(FPO: [non-Fpo])Ten0013FFC0 7c8170778000000101b0ea68 7ffd3000 cmd!maincrtstartup+0x125(FPO: [non-Fpo]) One0013fff0000000004ad0504600000000 78746341kernel32! baseprocessstart+0x23(FPO: [non-Fpo])1: kd>DDS ESPB1DD2CB4 804e23c9 NT! iopfcalldriver+0x31B1dd2cb882102020PDEVICE_OBJETB1DD2CBC 81fde1e8 pirpntstatusntfsfsdsetinformation (in Pvolume_device_object VolumeDeviceObject, In Pirp IRP)1: kd> DT _device_object82102020-Rntdll!_device_object+0x000type:0n3+0x002Size:0x860+0x004Referencecount:0n0+0x008DriverObject:0x82237ca0_driver_object+0x01cDriverName: _unicode_string"\filesystem\ntfs"+0x000Length:0x20+0x002MaximumLength:0x20+0x004Buffer:0xe140e128  "\filesystem\ntfs"1: kd> DT _IRP 81fde1e8-Rntdll!_irp+0x000Type:0n6//#define Irp_mj_set_information 0x06+0x040Tail: __unnamed+0x000Overlay: __unnamed+0x000devicequeueentry: _kdevice_queue_entry+0x000Drivercontext: [4] (NULL)          +0x010Thread:0x81ca8518_ethread+0x014Auxiliarybuffer: (NULL)          +0x018ListEntry: _list_entry [0x0-0x0 ]         +0x020Currentstacklocation:0x81fde330_io_stack_location+0x020Packettype:0x81fde330+0x024Originalfileobject:0x81c63660_file_object1: kd> DT _file_object0x81c63660Ntdll!_file_object+0x026Readaccess:0 "'+0x027Writeaccess:0 "'+0x028Deleteaccess:0x1 "'+0x029Sharedread:0x1 "'+0x02aSharedwrite:0x1 "'+0x02bShareddelete:0x1 "'+0x02cFlags:0x40040+0x030FileName: _unicode_string"\4"Win8.0Win8.1(9200 9600) is using the Zwopenfile file_delete_on_close flag

File deleted three paths under Windows (lightweight)

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
lightweight php server windows lightweight webserver windows lightweight web server windows windows lightweight http server lightweight code editor windows best lightweight antivirus windows 10 lightweight antivirus for windows xp

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More