我有一个procmon跟踪,用于构建一个应用程序(使用多个不同的进程),这些跟踪在某些时候无法写入文件,因为它正被另一个进程使用。我看到的第一件事是文件在构建开始时被删除:
3:49:32.9928378 PM foo.exe 11460 QueryOpen SUCCESS CreationTime: 8/26/2016 12:49:00 PM, LastAccessTime: 8/26/2016 12:49:00 PM, LastWriteTime: 8/26/2016 12:49:05 PM, ChangeTime: 8/26/2016 12:49:06 PM, AllocationSize: 57,344, EndOfFile: 56,624, FileAttributes: N
3:49:32.9929337 PM foo.exe 11460 CreateFile SUCCESS Desired Access: Read Attributes, Delete, Disposition: Open, Options: Non-Directory File, Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
3:49:32.9929791 PM foo.exe 11460 QuerySecurityFile SUCCESS Information: 0x20
3:49:32.9930238 PM foo.exe 11460 QueryAttributeTagFile SUCCESS Attributes: N, ReparseTag: 0x0
3:49:32.9930526 PM foo.exe 11460 SetDispositionInformationFile SUCCESS Delete: True
3:49:32.9930955 PM foo.exe 11460 CloseFile SUCCESS
3:49:32.9940971 PM foo.exe 11460 CloseFile SUCCESS
3:49:32.9942480 PM foo.exe 11460 CreateFile SUCCESS Desired Access: Write Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
3:49:32.9943085 PM foo.exe 11460 QuerySecurityFile SUCCESS Information: 0x20
3:49:32.9944066 PM foo.exe 11460 SetBasicInformationFile SUCCESS CreationTime: 0, LastAccessTime: 0, LastWriteTime: 0, ChangeTime: 0, FileAttributes: N
3:49:32.9944770 PM foo.exe 11460 CloseFile SUCCESS
3:49:32.9946268 PM foo.exe 11460 QueryOpen SUCCESS CreationTime: 8/26/2016 3:49:27 PM, LastAccessTime: 8/26/2016 3:49:27 PM, LastWriteTime: 8/26/2016 3:49:32 PM, ChangeTime: 8/26/2016 3:49:33 PM, AllocationSize: 57,344, EndOfFile: 56,624, FileAttributes: N
3:49:32.9947224 PM foo.exe 11460 CreateFile SUCCESS Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened
3:49:32.9947681 PM foo.exe 11460 QuerySecurityFile SUCCESS Information: 0x20
3:49:32.9948253 PM foo.exe 11460 QueryInformationVolume BUFFER OVERFLOW VolumeCreationTime: 4/19/2016 10:43:10 PM, VolumeSerialNumber: 4299-1E8C, SupportsObjects: True, VolumeLabel: Dat堜
3:49:32.9948475 PM foo.exe 11460 QueryAllInformationFile BUFFER OVERFLOW CreationTime: 8/26/2016 3:49:27 PM, LastAccessTime: 8/26/2016 3:49:27 PM, LastWriteTime: 8/26/2016 3:49:32 PM, ChangeTime: 8/26/2016 3:49:33 PM, FileAttributes: N, AllocationSize: 57,344, EndOfFile: 56,624, NumberOfLinks: 1, DeletePending: False, Directory: False, IndexNumber: 0xe00000021d3d3, EaSize: 0, Access: Read Attributes, Synchronize, Position: 0, Mode: Synchronous IO Non-Alert, AlignmentRequirement: Word
3:49:32.9948678 PM foo.exe 11460 CloseFile SUCCESS
这似乎很成功。接下来我注意到有两个“CreateFileMapping”调用返回“File Locked With Only readers”。然而,尽管我可以告诉它没有什么可担心的,因为两个时候似乎都会调用closefile。有趣的是,删除后调用的QueryAllInformationFile返回删除创建时间之前的时间。这是否意味着文件没有被正确删除?
3:49:41.3811537 PM bar.exe 11724 CreateFile SUCCESS Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened
3:49:41.3812155 PM bar.exe 11724 QuerySecurityFile SUCCESS Information: 0x20
3:49:41.3827524 PM bar.exe 11724 QueryNameInformationFile SUCCESS Name: \a\path\to\a\file\thedllinquestion.dll
3:49:41.3827711 PM bar.exe 11724 QueryNameInformationFile SUCCESS Name: \a\path\to\a\file\thedllinquestion.dll
3:49:41.3828506 PM bar.exe 11724 QueryNormalizedNameInformationFile SUCCESS
3:49:41.3829159 PM bar.exe 11724 QueryInformationVolume BUFFER OVERFLOW VolumeCreationTime: 4/19/2016 10:43:10 PM, VolumeSerialNumber: 4299-1E8C, SupportsObjects: True, VolumeLabel: Dat妕
3:49:41.3829281 PM bar.exe 11724 QueryAllInformationFile BUFFER OVERFLOW CreationTime: 8/26/2016 3:49:27 PM, LastAccessTime: 8/26/2016 3:49:27 PM, LastWriteTime: 8/26/2016 3:49:32 PM, ChangeTime: 8/26/2016 3:49:33 PM, FileAttributes: N, AllocationSize: 57,344, EndOfFile: 56,624, NumberOfLinks: 1, DeletePending: False, Directory: False, IndexNumber: 0xe00000021d3d3, EaSize: 0, Access: Generic Read, Position: 0, Mode: Synchronous IO Non-Alert, AlignmentRequirement: Word
3:49:41.3829444 PM bar.exe 11724 CreateFileMapping FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection:
3:49:41.3829538 PM bar.exe 11724 QueryStandardInformationFile SUCCESS AllocationSize: 57,344, EndOfFile: 56,624, NumberOfLinks: 1, DeletePending: False, Directory: False
3:49:41.3830038 PM bar.exe 11724 CreateFileMapping SUCCESS SyncType: SyncTypeOther
3:49:41.4143299 PM bar.exe 11724 CloseFile SUCCESS
最后,共享违规行为如下。有趣的是,相同的进程在读/写之前打开文件进行读取而不关闭。从理论上讲,你应该能做到这一点吗?
3:49:41.8544568 PM foo.exe 11460 CreateFile SUCCESS Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened
3:49:41.8545112 PM foo.exe 11460 QuerySecurityFile SUCCESS Information: 0x20
3:49:41.8545970 PM foo.exe 11460 QueryStandardInformationFile SUCCESS AllocationSize: 57,344, EndOfFile: 56,624, NumberOfLinks: 1, DeletePending: False, Directory: False
3:49:41.8546087 PM foo.exe 11460 QueryBasicInformationFile SUCCESS CreationTime: 8/26/2016 3:49:27 PM, LastAccessTime: 8/26/2016 3:49:27 PM, LastWriteTime: 8/26/2016 3:49:32 PM, ChangeTime: 8/26/2016 3:49:33 PM, FileAttributes: N
3:49:41.8546441 PM foo.exe 11460 QueryStreamInformationFile SUCCESS 0: ::$DATA
3:49:41.8546914 PM foo.exe 11460 QueryBasicInformationFile SUCCESS CreationTime: 8/26/2016 3:49:27 PM, LastAccessTime: 8/26/2016 3:49:27 PM, LastWriteTime: 8/26/2016 3:49:32 PM, ChangeTime: 8/26/2016 3:49:33 PM, FileAttributes: N
3:49:41.8547366 PM foo.exe 11460 QueryEaInformationFile SUCCESS EaSize: 0
3:49:41.8550146 PM foo.exe 11460 CreateFile SHARING VIOLATION Desired Access: Generic Read/Write, Delete, Write DAC, Disposition: OverwriteIf, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: None, AllocationSize: 56,624
3:49:41.8552552 PM foo.exe 11460 CreateFile SHARING VIOLATION Desired Access: Generic Write, Read Data/List Directory, Read Attributes, Delete, Write DAC, Disposition: OverwriteIf, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: None, AllocationSize: 56,624
3:49:41.8554742 PM foo.exe 11460 CreateFile SHARING VIOLATION Desired Access: Generic Write, Read Attributes, Delete, Write DAC, Disposition: OverwriteIf, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: None, AllocationSize: 56,624
3:49:41.8556783 PM foo.exe 11460 CreateFile SHARING VIOLATION Desired Access: Generic Write, Read Data/List Directory, Read Attributes, Delete, Write DAC, Disposition: OverwriteIf, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: 56,624
3:49:41.8558759 PM foo.exe 11460 CreateFile SHARING VIOLATION Desired Access: Generic Write, Read Data/List Directory, Read Attributes, Delete, Write DAC, Disposition: OverwriteIf, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: 56,624
3:49:41.8560577 PM foo.exe 11460 CreateFile SHARING VIOLATION Desired Access: Generic Write, Read Attributes, Delete, Write DAC, Disposition: OverwriteIf, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: 56,624
3:49:41.8562656 PM foo.exe 11460 CreateFile SHARING VIOLATION Desired Access: Generic Write, Read Data/List Directory, Read Attributes, Write DAC, Disposition: OverwriteIf, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: 56,624
3:49:41.8564750 PM foo.exe 11460 CreateFile SHARING VIOLATION Desired Access: Generic Write, Read Data/List Directory, Read Attributes, Write DAC, Disposition: OverwriteIf, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: 56,624
3:49:41.8566442 PM foo.exe 11460 CreateFile SHARING VIOLATION Desired Access: Generic Write, Read Attributes, Write DAC, Disposition: OverwriteIf, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: 56,624
我无法看到文件在打开后没有被关闭的任何地方,它应该是删除文件以开始,并且我在构建开始之前验证了文件没有句柄(使用“处理”工具。)
你能提供的任何指示都会有所帮助,谢谢。