Login/Register
Is there a way to directly query the file system device driver for listing out the files in a directory?
Asked Answered
Solved windowswinapifilesystemsdevice-driverdrivers
I

5

7

I'm currently using FindFirstFile, FindNextFile API to recursively iterate through directories for searching files based on a given criteria. I noticed that "dir /s" command gives better performance than my program. I'm tried checking out the events in process monitor and it looks like cmd.exe/dir command is directly querying the disk device driver. Is there any way I can achieve some thing similar with DeviceIOControl() ?. I'm very new to device drivers though not new to programming. Attaching procmon output for reference:

alt text

Regards,

Imperturbable answered 30/8, 2010 at 19:17 Comment(3)
There is some caching going on in DIR /SKirsch
It's probably true (were you able to deduce it based on the screen shot attached ?) because I searched for the same "*.mp3" a couple of times. But it was fast even the first time. Also just to be sure I tried several random searches of files I haven't accessed for a while. It seems to be fast regard less.Imperturbable
Also, Is there any hidden API called QueryDirectory() that is not exposed through standard libraries ?. I know ReadFile() is standard but wasn't able to find QueryDirectory() any where.Imperturbable
T
2

You can call ZwQueryDirectoryFile directly. Going further down to the driver level would require sending a bunch of IRPs and would probably be an overkill.

Thrasonical answered 30/8, 2010 at 20:12 Comment(4)
It's NtQueryDirectoryFile in User-Mode, and you really shouldn't use these low-level-nt-api functions ...Panne
:)) That's the same (under different names). From MSDN: NtQueryDirectoryFile and ZwQueryDirectoryFile are two versions of the same Windows Native System Services routine. For more information about this routine, see ZwQueryDirectoryFile. So it makes sense to start reading docs from the link I provided. One click less, you know ...Ats
Mayevski 'EldoS: Is it possible to call Kernel mode API from user mode programs ? I mean aren't the ones starting with Zwxxx supposed to be used only by drivers ?(I'm very new to driver programming).Imperturbable
As Christopher correctly mentioned, you would need to use another name of the same function, namely NtQueryDirectoryFile. But this is the same function.Ats
L
3

Use FindFirstFile and FindNextFile. That's the API, using DeviceIOControl directly is either a mess or not possible (don't know exactly).

Have you tried FindFirstFileEx and it's FIND_FIRST_EX_LARGE_FETCH flag and FindExInfoBasic info level?

List answered 30/8, 2010 at 20:11 Comment(1)
I did try them. But not much of noticeable improvement :(.Imperturbable
T
2

You can call ZwQueryDirectoryFile directly. Going further down to the driver level would require sending a bunch of IRPs and would probably be an overkill.

Thrasonical answered 30/8, 2010 at 20:12 Comment(4)
It's NtQueryDirectoryFile in User-Mode, and you really shouldn't use these low-level-nt-api functions ...Panne
:)) That's the same (under different names). From MSDN: NtQueryDirectoryFile and ZwQueryDirectoryFile are two versions of the same Windows Native System Services routine. For more information about this routine, see ZwQueryDirectoryFile. So it makes sense to start reading docs from the link I provided. One click less, you know ...Ats
Mayevski 'EldoS: Is it possible to call Kernel mode API from user mode programs ? I mean aren't the ones starting with Zwxxx supposed to be used only by drivers ?(I'm very new to driver programming).Imperturbable
As Christopher correctly mentioned, you would need to use another name of the same function, namely NtQueryDirectoryFile. But this is the same function.Ats
M
2

"dir /s" is using FindFirst/Next. It doesn't do any special magic to enumerate the files.

QueryDirectory appears to be how Procmon exposes what FindFirst/Next does to get its data from the file system.

Micco answered 30/8, 2010 at 20:21 Comment(0)
B
1

http://ntfs-search.sourceforge.net/

It works well. And faster.
It opens a volume, and parses directly.

But it only works on NTFS.

Bedfellow answered 30/8, 2010 at 23:9 Comment(0)
I
0

Profile your app, your bottleneck is likely to be elswhere. Some of these options are like taking out a shotgun to shoot a fly...

-scott

Insufferable answered 2/9, 2010 at 15:41 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.