第0部分:
//
// Find the oldest client Lsn. Use the last flushed Lsn as a starting point.
//
Lfcb->OldestLsn = Lfcb->LastFlushedLsn;
LfsFindOldestClientLsn( RestartArea,
Add2Ptr( RestartArea, Lfcb->ClientArrayOffset, PLFS_CLIENT_RECORD ),
&Lfcb->OldestLsn );
第一部分:
1: kd> p
Ntfs!LfsUpdateLfcbFromRestart+0x2df:
f71fb0e1 e8f26af8ff call Ntfs!LfsFindOldestClientLsn (f7181bd8)
1: kd> t
Ntfs!LfsFindOldestClientLsn:
f7181bd8 55 push ebp
1: kd> kc
#
00 Ntfs!LfsFindOldestClientLsn
01 Ntfs!LfsUpdateLfcbFromRestart
02 Ntfs!LfsRestartLogFile
03 Ntfs!LfsOpenLogFile
04 Ntfs!NtfsStartLogFile
05 Ntfs!NtfsMountVolume
06 Ntfs!NtfsCommonFileSystemControl
07 Ntfs!NtfsFspDispatch
08 nt!ExpWorkerThread
09 nt!PspSystemThreadStartup
0a nt!KiThreadStartup
1: kd> dv
RestartArea = 0xc1140030
ClientArray = 0xc1140070
OldestLsn = 0xe13640c0 {135361636}
第二部分:
1: kd> dx -r1 ((Ntfs!_LFS_RESTART_AREA *)0xc1140030)
((Ntfs!_LFS_RESTART_AREA *)0xc1140030) : 0xc1140030 [Type: _LFS_RESTART_AREA *]
[+0x000] CurrentLsn : {135361636} [Type: _LARGE_INTEGER]
[+0x008] LogClients : 0x1 [Type: unsigned short]
[+0x00a] ClientFreeList : 0xffff [Type: unsigned short]
[+0x00c] ClientInUseList : 0x0 [Type: unsigned short]
[+0x00e] Flags : 0x0 [Type: unsigned short]
[+0x010] SeqNumberBits : 0x28 [Type: unsigned long]
[+0x014] RestartAreaLength : 0xe0 [Type: unsigned short]
[+0x016] ClientArrayOffset : 0x40 [Type: unsigned short]
[+0x018] FileSize : 67108864 [Type: __int64]
[+0x020] LastLsnDataLength : 0x68 [Type: unsigned long]
[+0x024] RecordHeaderLength : 0x30 [Type: unsigned short]
[+0x026] LogPageDataOffset : 0x40 [Type: unsigned short]
[+0x028] RestartOpenLogCount : 0x85e1225b [Type: unsigned long]
[+0x02c] LastFailedFlushStatus : 0x0 [Type: unsigned long]
[+0x030] LastFailedFlushOffset : 0 [Type: __int64]
[+0x038] LastFailedFlushLsn : {0} [Type: _LARGE_INTEGER]
[+0x040] LogClientArray [Type: _LFS_CLIENT_RECORD [1]]
#define LFS_NO_CLIENT 0xffff
//
// While there are more clients, compare their oldest Lsn with the
// current oldest.
//
while (NextClient != LFS_NO_CLIENT) {
ClientBlock = ClientArray + NextClient; c1140070
1: kd> p
Ntfs!LfsFindOldestClientLsn+0x53:
f7181c2b 03450c add eax,dword ptr [ebp+0Ch]
1: kd> r
eax=00000000 ebx=e13640c0 ecx=000003b8 edx=00000c48 esi=e13640c0 edi=c1140030
eip=f7181c2b esp=f78d290c ebp=f78d2914 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00000246
Ntfs!LfsFindOldestClientLsn+0x53:
f7181c2b 03450c add eax,dword ptr [ebp+0Ch] ss:0010:f78d2920=c1140070
1: kd> dv
RestartArea = 0xc1140030
ClientArray = 0xc1140070
OldestLsn = 0xe13640c0 {135361636}
1: kd> ?0n135361636
Evaluate expression: 135361636 = 08117464
1: kd> dd f78d2914+0Ch
f78d2920 c1140070
第三部分:
1: kd> dx -r1 ((Ntfs!_LFS_CLIENT_RECORD *)0xc1140070)
((Ntfs!_LFS_CLIENT_RECORD *)0xc1140070) : 0xc1140070 [Type: _LFS_CLIENT_RECORD *]
[+0x000] OldestLsn : {135349873} [Type: _LARGE_INTEGER]
第四部分:
1: kd> ?0n135349873
Evaluate expression: 135349873 = 08114671
if (( ClientBlock->OldestLsn.QuadPart != 0 )
&& ( ClientBlock->OldestLsn.QuadPart < OldestLsn->QuadPart )) { //条件成立
*OldestLsn = ClientBlock->OldestLsn;
}
1: kd> p
Ntfs!LfsFindOldestClientLsn+0x6e:
f7181c46 890e mov dword ptr [esi],ecx
1: kd> r
eax=c1140070 ebx=e13640c0 ecx=08114671 edx=08114671 esi=e13640c0 edi=08114671
1: kd> dd e13640c0
e13640c0 08117464 00000000 00000000 00000000
1: kd> dv
RestartArea = 0xc1140030
ClientArray = 0xc1140070
OldestLsn = 0xe13640c0 {135349873} 0x08114671
1: kd> dd e13640c0
e13640c0 08114671 00000000 00000000 00000000
e13640d0 08117464 00000000 00000000 00000000
)
)
PPT)
