Struct unpack on win32file.DeviceIoControlPython struct.pack() behaviorWhat's the difference between struct and class in .NET?When should you use a class vs a struct in C++?Why isn't sizeof for a struct equal to the sum of sizeof of each member?Why are mutable structs “evil”?When to use struct?Difference between 'struct' and 'typedef struct' in C++?typedef struct vs struct definitionsWhy Choose Struct Over Class?A simple case of struct, but getting a “bad char” errorstruct unpack (Type Error: a byte like object is required, not 'str"), Unpack a List?

Pressure inside an infinite ocean?

Understanding trademark infringements in a world where many dictionary words are trademarks?

Would Hubble Space Telescope improve black hole image observed by EHT if it joined array of telesopes?

Why do only some White Walkers shatter into ice chips?

Apache ErrorDocument returns 404 in place of 302

Building a list of products from the elements in another list

Why wasn't the Night King naked in S08E03?

How do I overfit?

Did we get closer to another plane than we were supposed to, or was the pilot just protecting our delicate sensibilities?

How do LIGO and VIRGO know that a gravitational wave has its origin in a neutron star or a black hole?

Would the Disguise Self spell be able to reveal hidden birthmarks/tattoos (of the person they're disguised as) to a character?

What are the advantages of luxury car brands like Acura/Lexus over their sibling non-luxury brands Honda/Toyota?

Should I replace my bicycle tires if they have not been inflated in multiple years

Mic, cable, pre-amp setup for acoustic guitar to perform with big band through mic and guitar amp?

Have I damaged my car by attempting to reverse with hand/park brake up?

How to apply differences on part of a list and keep the rest

How can I get a job without pushing my family's income into a higher tax bracket?

I'm in your subnets, golfing your code

Randomness of Python's random

Manager is threatening to grade me poorly if I don't complete the project

Can there be a single technologically advanced nation, in a continent full of non-technologically advanced nations?

How did Shepard's and Grissom's speeds compare with orbital velocity?

How do I make a function that generates nth natural number that isn't a perfect square?

How long would it take for people to notice a mass disappearance?



Struct unpack on win32file.DeviceIoControl


Python struct.pack() behaviorWhat's the difference between struct and class in .NET?When should you use a class vs a struct in C++?Why isn't sizeof for a struct equal to the sum of sizeof of each member?Why are mutable structs “evil”?When to use struct?Difference between 'struct' and 'typedef struct' in C++?typedef struct vs struct definitionsWhy Choose Struct Over Class?A simple case of struct, but getting a “bad char” errorstruct unpack (Type Error: a byte like object is required, not 'str"), Unpack a List?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








0















I am trying to understand and work with win32file. I need to grab USN Journals and having a hard time understanding code snippets I found online. This is the code snippet I found -



format = 'qqqqqLLLLqqqqq'
length = struct.calcsize(format)
out_buffer = win32file.DeviceIoControl(volh, winioctlcon.FSCTL_GET_NTFS_VOLUME_DATA, None, length)
data = struct.unpack(format, out_buffer)


Now I am really rusty when it comes to C and it's structures. What I have understood for now is format is 96 bytes buffer and it'll get the output from DeviceIoControl



So I tried to change the format to 'QQQQQQQQQQQQQQQQQQQ' to see what happens(to see because I am kind of clueless what might actually happen) and it turns out I got a larger out_buffer this time. So I thought to unpack it -



struct.unpack(format, out_buffer)


And surprise to me, I got -



struct.error: unpack requires a string argument of length 152


So I added another 'Q' to increase the size and got the same result. I don't understand why 'qqqqqLLLLqqqqq' works and 'QQQQQQQQQQQQQQQQQQQ' does not. So my questions are -



  • My understanding was we can unpack if buffer was larger than the output so why doesn't the unpack work?


  • Would I have to remember these formats every-time I want to get something out from DeviceIoControl?


Pointing me out to resources would also be an added bonus as I need to build on the code to read USN Journals and I don't think hit-and-try is going to get me anywhere






python struct pywin32 deviceiocontrol







share|improve this question
























  • What does volh's creation process looks like (CreateFile call)?

    – CristiFati
    Nov 16 '18 at 23:49

















0















I am trying to understand and work with win32file. I need to grab USN Journals and having a hard time understanding code snippets I found online. This is the code snippet I found -



format = 'qqqqqLLLLqqqqq'
length = struct.calcsize(format)
out_buffer = win32file.DeviceIoControl(volh, winioctlcon.FSCTL_GET_NTFS_VOLUME_DATA, None, length)
data = struct.unpack(format, out_buffer)


Now I am really rusty when it comes to C and it's structures. What I have understood for now is format is 96 bytes buffer and it'll get the output from DeviceIoControl



So I tried to change the format to 'QQQQQQQQQQQQQQQQQQQ' to see what happens(to see because I am kind of clueless what might actually happen) and it turns out I got a larger out_buffer this time. So I thought to unpack it -



struct.unpack(format, out_buffer)


And surprise to me, I got -



struct.error: unpack requires a string argument of length 152


So I added another 'Q' to increase the size and got the same result. I don't understand why 'qqqqqLLLLqqqqq' works and 'QQQQQQQQQQQQQQQQQQQ' does not. So my questions are -



  • My understanding was we can unpack if buffer was larger than the output so why doesn't the unpack work?


  • Would I have to remember these formats every-time I want to get something out from DeviceIoControl?


Pointing me out to resources would also be an added bonus as I need to build on the code to read USN Journals and I don't think hit-and-try is going to get me anywhere






python struct pywin32 deviceiocontrol







share|improve this question
























  • What does volh's creation process looks like (CreateFile call)?

    – CristiFati
    Nov 16 '18 at 23:49













0












0








0








I am trying to understand and work with win32file. I need to grab USN Journals and having a hard time understanding code snippets I found online. This is the code snippet I found -



format = 'qqqqqLLLLqqqqq'
length = struct.calcsize(format)
out_buffer = win32file.DeviceIoControl(volh, winioctlcon.FSCTL_GET_NTFS_VOLUME_DATA, None, length)
data = struct.unpack(format, out_buffer)


Now I am really rusty when it comes to C and it's structures. What I have understood for now is format is 96 bytes buffer and it'll get the output from DeviceIoControl



So I tried to change the format to 'QQQQQQQQQQQQQQQQQQQ' to see what happens(to see because I am kind of clueless what might actually happen) and it turns out I got a larger out_buffer this time. So I thought to unpack it -



struct.unpack(format, out_buffer)


And surprise to me, I got -



struct.error: unpack requires a string argument of length 152


So I added another 'Q' to increase the size and got the same result. I don't understand why 'qqqqqLLLLqqqqq' works and 'QQQQQQQQQQQQQQQQQQQ' does not. So my questions are -



  • My understanding was we can unpack if buffer was larger than the output so why doesn't the unpack work?


  • Would I have to remember these formats every-time I want to get something out from DeviceIoControl?


Pointing me out to resources would also be an added bonus as I need to build on the code to read USN Journals and I don't think hit-and-try is going to get me anywhere






python struct pywin32 deviceiocontrol







share|improve this question
















I am trying to understand and work with win32file. I need to grab USN Journals and having a hard time understanding code snippets I found online. This is the code snippet I found -



format = 'qqqqqLLLLqqqqq'
length = struct.calcsize(format)
out_buffer = win32file.DeviceIoControl(volh, winioctlcon.FSCTL_GET_NTFS_VOLUME_DATA, None, length)
data = struct.unpack(format, out_buffer)


Now I am really rusty when it comes to C and it's structures. What I have understood for now is format is 96 bytes buffer and it'll get the output from DeviceIoControl



So I tried to change the format to 'QQQQQQQQQQQQQQQQQQQ' to see what happens(to see because I am kind of clueless what might actually happen) and it turns out I got a larger out_buffer this time. So I thought to unpack it -



struct.unpack(format, out_buffer)


And surprise to me, I got -



struct.error: unpack requires a string argument of length 152


So I added another 'Q' to increase the size and got the same result. I don't understand why 'qqqqqLLLLqqqqq' works and 'QQQQQQQQQQQQQQQQQQQ' does not. So my questions are -



  • My understanding was we can unpack if buffer was larger than the output so why doesn't the unpack work?


  • Would I have to remember these formats every-time I want to get something out from DeviceIoControl?


Pointing me out to resources would also be an added bonus as I need to build on the code to read USN Journals and I don't think hit-and-try is going to get me anywhere






python struct pywin32 deviceiocontrol




python struct pywin32 deviceiocontrol






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 15 '18 at 12:17







ThatBird

















asked Nov 15 '18 at 11:53









ThatBirdThatBird

1,9301720




1,9301720












  • What does volh's creation process looks like (CreateFile call)?

    – CristiFati
    Nov 16 '18 at 23:49

















  • What does volh's creation process looks like (CreateFile call)?

    – CristiFati
    Nov 16 '18 at 23:49
















What does volh's creation process looks like (CreateFile call)?

– CristiFati
Nov 16 '18 at 23:49





What does volh's creation process looks like (CreateFile call)?

– CristiFati
Nov 16 '18 at 23:49












1 Answer
1






active

oldest

votes


















2














Let's split the problem in smaller pieces and take each one at a time.




  • win32file module is part of [GitHub]: mhammond/pywin32 - Python for Windows (pywin32) Extensions which is a Python wrapper over WinAPIs



    • Unfortunately, it doesn't have an official doc page (or I'm not aware of one), so below is the best that I could find (I've been using this for years). An alternative method that never fails (but it's less appealing) is looking directly at the code


    • [ActiveState]: win32file.DeviceIoControl is a wrapper over [MS.Docs]: DeviceIoControl function




  • DeviceIoControl acts differently, depending on the dwIoControlCode (2nd argument). For FSCTL_GET_NTFS_VOLUME_DATA, it fills a buffer with volume specific data. From [MSDN]: FSCTL_GET_NTFS_VOLUME_DATA control code:




    lpOutBuffer
    A pointer to the output buffer, an NTFS_VOLUME_DATA_BUFFER (@CristiFati: !!! Broken URL !!!) structure. The file record associated with the file identifier specified in the input buffer is returned in this buffer. Refer to the Remarks section of the documentation for the NTFS_VOLUME_DATA_BUFFER structure for specific information on how to determine the correct size of this buffer.




    Here's an alternative to the above broken URL: [MSDN]: NTFS_VOLUME_DATA_BUFFER structure. As I'm not sure for how long will it be valid, I'm pasting the structure definition below (from Windows Kits 8.1: winioctl.h (line #4987)):



    typedef struct 

     LARGE_INTEGER VolumeSerialNumber;
     LARGE_INTEGER NumberSectors;
     LARGE_INTEGER TotalClusters;
     LARGE_INTEGER FreeClusters;
     LARGE_INTEGER TotalReserved;
     DWORD BytesPerSector;
     DWORD BytesPerCluster;
     DWORD BytesPerFileRecordSegment;
     DWORD ClustersPerFileRecordSegment;
     LARGE_INTEGER MftValidDataLength;
     LARGE_INTEGER MftStartLcn;
     LARGE_INTEGER Mft2StartLcn;
     LARGE_INTEGER MftZoneStart;
     LARGE_INTEGER MftZoneEnd;

     NTFS_VOLUME_DATA_BUFFER, *PNTFS_VOLUME_DATA_BUFFER;


  • [Python 3]: struct - Interpret bytes as packed binary data module, is used for conversions between binary and "normal" data. It contains all the format characters meanings (q, Q, L, ...), and much more. You could also take a look at [SO]: Python struct.pack() behavior for more (practical) details


After going over the above materials, things should become clearer.



A couple of notes:



  • If one doesn't know what a function does (returns), they should probably don't use it (without reading the manual, of course). Although nowadays, both Win (which always had a lot of restrictions for the regular user) and Ux "protect users from themselves" (e.g.: root login no longer allowed, write protect %SystemDrive%)

  • The attempts (trial and error) show some lack of experience (probably every does it at some point, the key is not to rely solely on it)

  • "Would I have to remember these formats every-time I want to get something out from DeviceIoControl"?

    • Again, if not knowing that a function does, what's the reason for calling it? If you meant learning NTFS_VOLUME_DATA_BUFFER by heart, it's definitely not the case. You should know its structure only when using it (and as you've noticed there are some places that you can get it from - including this very post :) )


  • "My understanding was we can unpack if buffer was larger than the output so why doesn't the unpack work?"

    • Your understanding is correct. But win32file.DeviceIoControl seems to sometimes (probably when reaching 1stNULL after 96 bytes) truncate the output buffer when passing a value greater than the expected one (via length argument). When passing a smaller one, it will fail (as expected)


I've also prepared a dummy Python example.



code.py:



#!/usr/bin/env python3

import sys
import struct
import win32file
import win32api
import win32con
import winioctlcon


VOLUME_LETTER = "E"

FILE_READ_ATTRIBUTES = 0x0080
FILE_EXECUTE = 0x0020

vol_data_buf_fmt = "qqqqqLLLLqqqqq" # This is the format that matches NTFS_VOLUME_DATA_BUFFER definition (96 bytes). Note: Instead of each 'q' you could also use 'Ll' as 'LARGE_INTEGER' is an union

BINARY_FORMAT_LIST = [
 vol_data_buf_fmt,
 "QQQQQQQQQQQQQQQQQQQ",
]


def print_formats(): # Dummy func
 print("Formats and lengths:")
 for format in BINARY_FORMAT_LIST:
 print(" :s: :d".format(format, struct.calcsize(format)))


def main():
 #print_formats()
 vol_unc_name = "\\.\:s:".format(VOLUME_LETTER)
 print("volume: ", vol_unc_name)
 access_flags = FILE_READ_ATTRIBUTES | FILE_EXECUTE # Apparently, doesn't work without FILE_EXECUTE
 share_flags = win32con.FILE_SHARE_READ | win32con.FILE_SHARE_WRITE # Doesn't work withou FILE_SHARE_WRITE
 creation_flags = win32con.OPEN_EXISTING
 attributes_flags = win32con.FILE_ATTRIBUTE_NORMAL
 vol_handle = win32file.CreateFile(vol_unc_name, access_flags, share_flags, None, creation_flags, attributes_flags, None)

 buf_len = struct.calcsize(vol_data_buf_fmt)
 for i in [buf_len]:
 print(" Passing a buffer size of: :d".format(i))
 buf = win32file.DeviceIoControl(vol_handle, winioctlcon.FSCTL_GET_NTFS_VOLUME_DATA, None, i)
 print(" DeviceIocontrol returned a :d bytes long :".format(len(buf), type(buf)))
 out = struct.unpack_from(vol_data_buf_fmt, buf)
 print("n NumberSectors: :n TotalClusters: :n BytesPerCluster: :".format(out[1], out[2], out[6]))
 win32api.CloseHandle(vol_handle)


if __name__ == "__main__":
 print("Python :s on :sn".format(sys.version, sys.platform))
 main()


Output:






(py35x64_test) e:WorkDevStackOverflowq053318932>"e:WorkDevVEnvspy35x64_testScriptspython.exe" ./code.py
Python 3.5.4 (v3.5.4:3f56838, Aug 8 2017, 02:17:05) [MSC v.1900 64 bit (AMD64)] on win32

volume: \.E:
 Passing a buffer size of: 96
 DeviceIocontrol returned a 96 bytes long <class 'bytes'>

 NumberSectors: 494374911
 TotalClusters: 61796863
 BytesPerCluster: 4096



Needless to say that multiplying TotalClusters by BytesPerCluster, I get the correct bytes number (as reported by Win) for my E: drive.






share|improve this answer

























  • Thanks @CristiFati. Actually, with a bit of hit and try and research, I was able to find the resources mentioned in your comment and was thinking of answering my own question if nobody answered it but you have

    – ThatBird
    Nov 19 '18 at 10:32











  • "protect users from themselves" as you said so I knew the risks I was getting into while poking around with these commands

    – ThatBird
    Nov 19 '18 at 10:32











  • "Every attempt simply expresses lack of experience" but attempt adds up to the experience, which in turn helped me to discover these docs

    – ThatBird
    Nov 19 '18 at 10:34











  • I can query through the journal now but I need to build path to parent file, this is where I am stuck currently. What I have found out is there are to ways to get this to work, one is going through the MFT(I don't want that) and the other is opening file with File Reference Number. Can you help me with the second one?

    – ThatBird
    Nov 19 '18 at 10:37











  • I'm afraid that my knowledge on "File Reference Number". Is somewhere close to 0. So without some code samples I can't do anything. But, wouldn't that be a different question (cause the code from this one is related to volume properties rather than volume changes)?

    – CristiFati
    Nov 19 '18 at 13:33












Your Answer






StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53318932%2fstruct-unpack-on-win32file-deviceiocontrol%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









2














Let's split the problem in smaller pieces and take each one at a time.




  • win32file module is part of [GitHub]: mhammond/pywin32 - Python for Windows (pywin32) Extensions which is a Python wrapper over WinAPIs



    • Unfortunately, it doesn't have an official doc page (or I'm not aware of one), so below is the best that I could find (I've been using this for years). An alternative method that never fails (but it's less appealing) is looking directly at the code


    • [ActiveState]: win32file.DeviceIoControl is a wrapper over [MS.Docs]: DeviceIoControl function




  • DeviceIoControl acts differently, depending on the dwIoControlCode (2nd argument). For FSCTL_GET_NTFS_VOLUME_DATA, it fills a buffer with volume specific data. From [MSDN]: FSCTL_GET_NTFS_VOLUME_DATA control code:




    lpOutBuffer
    A pointer to the output buffer, an NTFS_VOLUME_DATA_BUFFER (@CristiFati: !!! Broken URL !!!) structure. The file record associated with the file identifier specified in the input buffer is returned in this buffer. Refer to the Remarks section of the documentation for the NTFS_VOLUME_DATA_BUFFER structure for specific information on how to determine the correct size of this buffer.




    Here's an alternative to the above broken URL: [MSDN]: NTFS_VOLUME_DATA_BUFFER structure. As I'm not sure for how long will it be valid, I'm pasting the structure definition below (from Windows Kits 8.1: winioctl.h (line #4987)):



    typedef struct 

     LARGE_INTEGER VolumeSerialNumber;
     LARGE_INTEGER NumberSectors;
     LARGE_INTEGER TotalClusters;
     LARGE_INTEGER FreeClusters;
     LARGE_INTEGER TotalReserved;
     DWORD BytesPerSector;
     DWORD BytesPerCluster;
     DWORD BytesPerFileRecordSegment;
     DWORD ClustersPerFileRecordSegment;
     LARGE_INTEGER MftValidDataLength;
     LARGE_INTEGER MftStartLcn;
     LARGE_INTEGER Mft2StartLcn;
     LARGE_INTEGER MftZoneStart;
     LARGE_INTEGER MftZoneEnd;

     NTFS_VOLUME_DATA_BUFFER, *PNTFS_VOLUME_DATA_BUFFER;


  • [Python 3]: struct - Interpret bytes as packed binary data module, is used for conversions between binary and "normal" data. It contains all the format characters meanings (q, Q, L, ...), and much more. You could also take a look at [SO]: Python struct.pack() behavior for more (practical) details


After going over the above materials, things should become clearer.



A couple of notes:



  • If one doesn't know what a function does (returns), they should probably don't use it (without reading the manual, of course). Although nowadays, both Win (which always had a lot of restrictions for the regular user) and Ux "protect users from themselves" (e.g.: root login no longer allowed, write protect %SystemDrive%)

  • The attempts (trial and error) show some lack of experience (probably every does it at some point, the key is not to rely solely on it)

  • "Would I have to remember these formats every-time I want to get something out from DeviceIoControl"?

    • Again, if not knowing that a function does, what's the reason for calling it? If you meant learning NTFS_VOLUME_DATA_BUFFER by heart, it's definitely not the case. You should know its structure only when using it (and as you've noticed there are some places that you can get it from - including this very post :) )


  • "My understanding was we can unpack if buffer was larger than the output so why doesn't the unpack work?"

    • Your understanding is correct. But win32file.DeviceIoControl seems to sometimes (probably when reaching 1stNULL after 96 bytes) truncate the output buffer when passing a value greater than the expected one (via length argument). When passing a smaller one, it will fail (as expected)


I've also prepared a dummy Python example.



code.py:



#!/usr/bin/env python3

import sys
import struct
import win32file
import win32api
import win32con
import winioctlcon


VOLUME_LETTER = "E"

FILE_READ_ATTRIBUTES = 0x0080
FILE_EXECUTE = 0x0020

vol_data_buf_fmt = "qqqqqLLLLqqqqq" # This is the format that matches NTFS_VOLUME_DATA_BUFFER definition (96 bytes). Note: Instead of each 'q' you could also use 'Ll' as 'LARGE_INTEGER' is an union

BINARY_FORMAT_LIST = [
 vol_data_buf_fmt,
 "QQQQQQQQQQQQQQQQQQQ",
]


def print_formats(): # Dummy func
 print("Formats and lengths:")
 for format in BINARY_FORMAT_LIST:
 print(" :s: :d".format(format, struct.calcsize(format)))


def main():
 #print_formats()
 vol_unc_name = "\\.\:s:".format(VOLUME_LETTER)
 print("volume: ", vol_unc_name)
 access_flags = FILE_READ_ATTRIBUTES | FILE_EXECUTE # Apparently, doesn't work without FILE_EXECUTE
 share_flags = win32con.FILE_SHARE_READ | win32con.FILE_SHARE_WRITE # Doesn't work withou FILE_SHARE_WRITE
 creation_flags = win32con.OPEN_EXISTING
 attributes_flags = win32con.FILE_ATTRIBUTE_NORMAL
 vol_handle = win32file.CreateFile(vol_unc_name, access_flags, share_flags, None, creation_flags, attributes_flags, None)

 buf_len = struct.calcsize(vol_data_buf_fmt)
 for i in [buf_len]:
 print(" Passing a buffer size of: :d".format(i))
 buf = win32file.DeviceIoControl(vol_handle, winioctlcon.FSCTL_GET_NTFS_VOLUME_DATA, None, i)
 print(" DeviceIocontrol returned a :d bytes long :".format(len(buf), type(buf)))
 out = struct.unpack_from(vol_data_buf_fmt, buf)
 print("n NumberSectors: :n TotalClusters: :n BytesPerCluster: :".format(out[1], out[2], out[6]))
 win32api.CloseHandle(vol_handle)


if __name__ == "__main__":
 print("Python :s on :sn".format(sys.version, sys.platform))
 main()


Output:






(py35x64_test) e:WorkDevStackOverflowq053318932>"e:WorkDevVEnvspy35x64_testScriptspython.exe" ./code.py
Python 3.5.4 (v3.5.4:3f56838, Aug 8 2017, 02:17:05) [MSC v.1900 64 bit (AMD64)] on win32

volume: \.E:
 Passing a buffer size of: 96
 DeviceIocontrol returned a 96 bytes long <class 'bytes'>

 NumberSectors: 494374911
 TotalClusters: 61796863
 BytesPerCluster: 4096



Needless to say that multiplying TotalClusters by BytesPerCluster, I get the correct bytes number (as reported by Win) for my E: drive.






share|improve this answer

























  • Thanks @CristiFati. Actually, with a bit of hit and try and research, I was able to find the resources mentioned in your comment and was thinking of answering my own question if nobody answered it but you have

    – ThatBird
    Nov 19 '18 at 10:32











  • "protect users from themselves" as you said so I knew the risks I was getting into while poking around with these commands

    – ThatBird
    Nov 19 '18 at 10:32











  • "Every attempt simply expresses lack of experience" but attempt adds up to the experience, which in turn helped me to discover these docs

    – ThatBird
    Nov 19 '18 at 10:34











  • I can query through the journal now but I need to build path to parent file, this is where I am stuck currently. What I have found out is there are to ways to get this to work, one is going through the MFT(I don't want that) and the other is opening file with File Reference Number. Can you help me with the second one?

    – ThatBird
    Nov 19 '18 at 10:37











  • I'm afraid that my knowledge on "File Reference Number". Is somewhere close to 0. So without some code samples I can't do anything. But, wouldn't that be a different question (cause the code from this one is related to volume properties rather than volume changes)?

    – CristiFati
    Nov 19 '18 at 13:33
















2














Let's split the problem in smaller pieces and take each one at a time.




  • win32file module is part of [GitHub]: mhammond/pywin32 - Python for Windows (pywin32) Extensions which is a Python wrapper over WinAPIs



    • Unfortunately, it doesn't have an official doc page (or I'm not aware of one), so below is the best that I could find (I've been using this for years). An alternative method that never fails (but it's less appealing) is looking directly at the code


    • [ActiveState]: win32file.DeviceIoControl is a wrapper over [MS.Docs]: DeviceIoControl function




  • DeviceIoControl acts differently, depending on the dwIoControlCode (2nd argument). For FSCTL_GET_NTFS_VOLUME_DATA, it fills a buffer with volume specific data. From [MSDN]: FSCTL_GET_NTFS_VOLUME_DATA control code:




    lpOutBuffer
    A pointer to the output buffer, an NTFS_VOLUME_DATA_BUFFER (@CristiFati: !!! Broken URL !!!) structure. The file record associated with the file identifier specified in the input buffer is returned in this buffer. Refer to the Remarks section of the documentation for the NTFS_VOLUME_DATA_BUFFER structure for specific information on how to determine the correct size of this buffer.




    Here's an alternative to the above broken URL: [MSDN]: NTFS_VOLUME_DATA_BUFFER structure. As I'm not sure for how long will it be valid, I'm pasting the structure definition below (from Windows Kits 8.1: winioctl.h (line #4987)):



    typedef struct 

     LARGE_INTEGER VolumeSerialNumber;
     LARGE_INTEGER NumberSectors;
     LARGE_INTEGER TotalClusters;
     LARGE_INTEGER FreeClusters;
     LARGE_INTEGER TotalReserved;
     DWORD BytesPerSector;
     DWORD BytesPerCluster;
     DWORD BytesPerFileRecordSegment;
     DWORD ClustersPerFileRecordSegment;
     LARGE_INTEGER MftValidDataLength;
     LARGE_INTEGER MftStartLcn;
     LARGE_INTEGER Mft2StartLcn;
     LARGE_INTEGER MftZoneStart;
     LARGE_INTEGER MftZoneEnd;

     NTFS_VOLUME_DATA_BUFFER, *PNTFS_VOLUME_DATA_BUFFER;


  • [Python 3]: struct - Interpret bytes as packed binary data module, is used for conversions between binary and "normal" data. It contains all the format characters meanings (q, Q, L, ...), and much more. You could also take a look at [SO]: Python struct.pack() behavior for more (practical) details


After going over the above materials, things should become clearer.



A couple of notes:



  • If one doesn't know what a function does (returns), they should probably don't use it (without reading the manual, of course). Although nowadays, both Win (which always had a lot of restrictions for the regular user) and Ux "protect users from themselves" (e.g.: root login no longer allowed, write protect %SystemDrive%)

  • The attempts (trial and error) show some lack of experience (probably every does it at some point, the key is not to rely solely on it)

  • "Would I have to remember these formats every-time I want to get something out from DeviceIoControl"?

    • Again, if not knowing that a function does, what's the reason for calling it? If you meant learning NTFS_VOLUME_DATA_BUFFER by heart, it's definitely not the case. You should know its structure only when using it (and as you've noticed there are some places that you can get it from - including this very post :) )


  • "My understanding was we can unpack if buffer was larger than the output so why doesn't the unpack work?"

    • Your understanding is correct. But win32file.DeviceIoControl seems to sometimes (probably when reaching 1stNULL after 96 bytes) truncate the output buffer when passing a value greater than the expected one (via length argument). When passing a smaller one, it will fail (as expected)


I've also prepared a dummy Python example.



code.py:



#!/usr/bin/env python3

import sys
import struct
import win32file
import win32api
import win32con
import winioctlcon


VOLUME_LETTER = "E"

FILE_READ_ATTRIBUTES = 0x0080
FILE_EXECUTE = 0x0020

vol_data_buf_fmt = "qqqqqLLLLqqqqq" # This is the format that matches NTFS_VOLUME_DATA_BUFFER definition (96 bytes). Note: Instead of each 'q' you could also use 'Ll' as 'LARGE_INTEGER' is an union

BINARY_FORMAT_LIST = [
 vol_data_buf_fmt,
 "QQQQQQQQQQQQQQQQQQQ",
]


def print_formats(): # Dummy func
 print("Formats and lengths:")
 for format in BINARY_FORMAT_LIST:
 print(" :s: :d".format(format, struct.calcsize(format)))


def main():
 #print_formats()
 vol_unc_name = "\\.\:s:".format(VOLUME_LETTER)
 print("volume: ", vol_unc_name)
 access_flags = FILE_READ_ATTRIBUTES | FILE_EXECUTE # Apparently, doesn't work without FILE_EXECUTE
 share_flags = win32con.FILE_SHARE_READ | win32con.FILE_SHARE_WRITE # Doesn't work withou FILE_SHARE_WRITE
 creation_flags = win32con.OPEN_EXISTING
 attributes_flags = win32con.FILE_ATTRIBUTE_NORMAL
 vol_handle = win32file.CreateFile(vol_unc_name, access_flags, share_flags, None, creation_flags, attributes_flags, None)

 buf_len = struct.calcsize(vol_data_buf_fmt)
 for i in [buf_len]:
 print(" Passing a buffer size of: :d".format(i))
 buf = win32file.DeviceIoControl(vol_handle, winioctlcon.FSCTL_GET_NTFS_VOLUME_DATA, None, i)
 print(" DeviceIocontrol returned a :d bytes long :".format(len(buf), type(buf)))
 out = struct.unpack_from(vol_data_buf_fmt, buf)
 print("n NumberSectors: :n TotalClusters: :n BytesPerCluster: :".format(out[1], out[2], out[6]))
 win32api.CloseHandle(vol_handle)


if __name__ == "__main__":
 print("Python :s on :sn".format(sys.version, sys.platform))
 main()


Output:






(py35x64_test) e:WorkDevStackOverflowq053318932>"e:WorkDevVEnvspy35x64_testScriptspython.exe" ./code.py
Python 3.5.4 (v3.5.4:3f56838, Aug 8 2017, 02:17:05) [MSC v.1900 64 bit (AMD64)] on win32

volume: \.E:
 Passing a buffer size of: 96
 DeviceIocontrol returned a 96 bytes long <class 'bytes'>

 NumberSectors: 494374911
 TotalClusters: 61796863
 BytesPerCluster: 4096



Needless to say that multiplying TotalClusters by BytesPerCluster, I get the correct bytes number (as reported by Win) for my E: drive.






share|improve this answer

























  • Thanks @CristiFati. Actually, with a bit of hit and try and research, I was able to find the resources mentioned in your comment and was thinking of answering my own question if nobody answered it but you have

    – ThatBird
    Nov 19 '18 at 10:32











  • "protect users from themselves" as you said so I knew the risks I was getting into while poking around with these commands

    – ThatBird
    Nov 19 '18 at 10:32











  • "Every attempt simply expresses lack of experience" but attempt adds up to the experience, which in turn helped me to discover these docs

    – ThatBird
    Nov 19 '18 at 10:34











  • I can query through the journal now but I need to build path to parent file, this is where I am stuck currently. What I have found out is there are to ways to get this to work, one is going through the MFT(I don't want that) and the other is opening file with File Reference Number. Can you help me with the second one?

    – ThatBird
    Nov 19 '18 at 10:37











  • I'm afraid that my knowledge on "File Reference Number". Is somewhere close to 0. So without some code samples I can't do anything. But, wouldn't that be a different question (cause the code from this one is related to volume properties rather than volume changes)?

    – CristiFati
    Nov 19 '18 at 13:33














2












2








2







Let's split the problem in smaller pieces and take each one at a time.




  • win32file module is part of [GitHub]: mhammond/pywin32 - Python for Windows (pywin32) Extensions which is a Python wrapper over WinAPIs



    • Unfortunately, it doesn't have an official doc page (or I'm not aware of one), so below is the best that I could find (I've been using this for years). An alternative method that never fails (but it's less appealing) is looking directly at the code


    • [ActiveState]: win32file.DeviceIoControl is a wrapper over [MS.Docs]: DeviceIoControl function




  • DeviceIoControl acts differently, depending on the dwIoControlCode (2nd argument). For FSCTL_GET_NTFS_VOLUME_DATA, it fills a buffer with volume specific data. From [MSDN]: FSCTL_GET_NTFS_VOLUME_DATA control code:




    lpOutBuffer
    A pointer to the output buffer, an NTFS_VOLUME_DATA_BUFFER (@CristiFati: !!! Broken URL !!!) structure. The file record associated with the file identifier specified in the input buffer is returned in this buffer. Refer to the Remarks section of the documentation for the NTFS_VOLUME_DATA_BUFFER structure for specific information on how to determine the correct size of this buffer.




    Here's an alternative to the above broken URL: [MSDN]: NTFS_VOLUME_DATA_BUFFER structure. As I'm not sure for how long will it be valid, I'm pasting the structure definition below (from Windows Kits 8.1: winioctl.h (line #4987)):



    typedef struct 

     LARGE_INTEGER VolumeSerialNumber;
     LARGE_INTEGER NumberSectors;
     LARGE_INTEGER TotalClusters;
     LARGE_INTEGER FreeClusters;
     LARGE_INTEGER TotalReserved;
     DWORD BytesPerSector;
     DWORD BytesPerCluster;
     DWORD BytesPerFileRecordSegment;
     DWORD ClustersPerFileRecordSegment;
     LARGE_INTEGER MftValidDataLength;
     LARGE_INTEGER MftStartLcn;
     LARGE_INTEGER Mft2StartLcn;
     LARGE_INTEGER MftZoneStart;
     LARGE_INTEGER MftZoneEnd;

     NTFS_VOLUME_DATA_BUFFER, *PNTFS_VOLUME_DATA_BUFFER;


  • [Python 3]: struct - Interpret bytes as packed binary data module, is used for conversions between binary and "normal" data. It contains all the format characters meanings (q, Q, L, ...), and much more. You could also take a look at [SO]: Python struct.pack() behavior for more (practical) details


After going over the above materials, things should become clearer.



A couple of notes:



  • If one doesn't know what a function does (returns), they should probably don't use it (without reading the manual, of course). Although nowadays, both Win (which always had a lot of restrictions for the regular user) and Ux "protect users from themselves" (e.g.: root login no longer allowed, write protect %SystemDrive%)

  • The attempts (trial and error) show some lack of experience (probably every does it at some point, the key is not to rely solely on it)

  • "Would I have to remember these formats every-time I want to get something out from DeviceIoControl"?

    • Again, if not knowing that a function does, what's the reason for calling it? If you meant learning NTFS_VOLUME_DATA_BUFFER by heart, it's definitely not the case. You should know its structure only when using it (and as you've noticed there are some places that you can get it from - including this very post :) )


  • "My understanding was we can unpack if buffer was larger than the output so why doesn't the unpack work?"

    • Your understanding is correct. But win32file.DeviceIoControl seems to sometimes (probably when reaching 1stNULL after 96 bytes) truncate the output buffer when passing a value greater than the expected one (via length argument). When passing a smaller one, it will fail (as expected)


I've also prepared a dummy Python example.



code.py:



#!/usr/bin/env python3

import sys
import struct
import win32file
import win32api
import win32con
import winioctlcon


VOLUME_LETTER = "E"

FILE_READ_ATTRIBUTES = 0x0080
FILE_EXECUTE = 0x0020

vol_data_buf_fmt = "qqqqqLLLLqqqqq" # This is the format that matches NTFS_VOLUME_DATA_BUFFER definition (96 bytes). Note: Instead of each 'q' you could also use 'Ll' as 'LARGE_INTEGER' is an union

BINARY_FORMAT_LIST = [
 vol_data_buf_fmt,
 "QQQQQQQQQQQQQQQQQQQ",
]


def print_formats(): # Dummy func
 print("Formats and lengths:")
 for format in BINARY_FORMAT_LIST:
 print(" :s: :d".format(format, struct.calcsize(format)))


def main():
 #print_formats()
 vol_unc_name = "\\.\:s:".format(VOLUME_LETTER)
 print("volume: ", vol_unc_name)
 access_flags = FILE_READ_ATTRIBUTES | FILE_EXECUTE # Apparently, doesn't work without FILE_EXECUTE
 share_flags = win32con.FILE_SHARE_READ | win32con.FILE_SHARE_WRITE # Doesn't work withou FILE_SHARE_WRITE
 creation_flags = win32con.OPEN_EXISTING
 attributes_flags = win32con.FILE_ATTRIBUTE_NORMAL
 vol_handle = win32file.CreateFile(vol_unc_name, access_flags, share_flags, None, creation_flags, attributes_flags, None)

 buf_len = struct.calcsize(vol_data_buf_fmt)
 for i in [buf_len]:
 print(" Passing a buffer size of: :d".format(i))
 buf = win32file.DeviceIoControl(vol_handle, winioctlcon.FSCTL_GET_NTFS_VOLUME_DATA, None, i)
 print(" DeviceIocontrol returned a :d bytes long :".format(len(buf), type(buf)))
 out = struct.unpack_from(vol_data_buf_fmt, buf)
 print("n NumberSectors: :n TotalClusters: :n BytesPerCluster: :".format(out[1], out[2], out[6]))
 win32api.CloseHandle(vol_handle)


if __name__ == "__main__":
 print("Python :s on :sn".format(sys.version, sys.platform))
 main()


Output:






(py35x64_test) e:WorkDevStackOverflowq053318932>"e:WorkDevVEnvspy35x64_testScriptspython.exe" ./code.py
Python 3.5.4 (v3.5.4:3f56838, Aug 8 2017, 02:17:05) [MSC v.1900 64 bit (AMD64)] on win32

volume: \.E:
 Passing a buffer size of: 96
 DeviceIocontrol returned a 96 bytes long <class 'bytes'>

 NumberSectors: 494374911
 TotalClusters: 61796863
 BytesPerCluster: 4096



Needless to say that multiplying TotalClusters by BytesPerCluster, I get the correct bytes number (as reported by Win) for my E: drive.






share|improve this answer















Let's split the problem in smaller pieces and take each one at a time.




  • win32file module is part of [GitHub]: mhammond/pywin32 - Python for Windows (pywin32) Extensions which is a Python wrapper over WinAPIs



    • Unfortunately, it doesn't have an official doc page (or I'm not aware of one), so below is the best that I could find (I've been using this for years). An alternative method that never fails (but it's less appealing) is looking directly at the code


    • [ActiveState]: win32file.DeviceIoControl is a wrapper over [MS.Docs]: DeviceIoControl function




  • DeviceIoControl acts differently, depending on the dwIoControlCode (2nd argument). For FSCTL_GET_NTFS_VOLUME_DATA, it fills a buffer with volume specific data. From [MSDN]: FSCTL_GET_NTFS_VOLUME_DATA control code:




    lpOutBuffer
    A pointer to the output buffer, an NTFS_VOLUME_DATA_BUFFER (@CristiFati: !!! Broken URL !!!) structure. The file record associated with the file identifier specified in the input buffer is returned in this buffer. Refer to the Remarks section of the documentation for the NTFS_VOLUME_DATA_BUFFER structure for specific information on how to determine the correct size of this buffer.




    Here's an alternative to the above broken URL: [MSDN]: NTFS_VOLUME_DATA_BUFFER structure. As I'm not sure for how long will it be valid, I'm pasting the structure definition below (from Windows Kits 8.1: winioctl.h (line #4987)):



    typedef struct 

     LARGE_INTEGER VolumeSerialNumber;
     LARGE_INTEGER NumberSectors;
     LARGE_INTEGER TotalClusters;
     LARGE_INTEGER FreeClusters;
     LARGE_INTEGER TotalReserved;
     DWORD BytesPerSector;
     DWORD BytesPerCluster;
     DWORD BytesPerFileRecordSegment;
     DWORD ClustersPerFileRecordSegment;
     LARGE_INTEGER MftValidDataLength;
     LARGE_INTEGER MftStartLcn;
     LARGE_INTEGER Mft2StartLcn;
     LARGE_INTEGER MftZoneStart;
     LARGE_INTEGER MftZoneEnd;

     NTFS_VOLUME_DATA_BUFFER, *PNTFS_VOLUME_DATA_BUFFER;


  • [Python 3]: struct - Interpret bytes as packed binary data module, is used for conversions between binary and "normal" data. It contains all the format characters meanings (q, Q, L, ...), and much more. You could also take a look at [SO]: Python struct.pack() behavior for more (practical) details


After going over the above materials, things should become clearer.



A couple of notes:



  • If one doesn't know what a function does (returns), they should probably don't use it (without reading the manual, of course). Although nowadays, both Win (which always had a lot of restrictions for the regular user) and Ux "protect users from themselves" (e.g.: root login no longer allowed, write protect %SystemDrive%)

  • The attempts (trial and error) show some lack of experience (probably every does it at some point, the key is not to rely solely on it)

  • "Would I have to remember these formats every-time I want to get something out from DeviceIoControl"?

    • Again, if not knowing that a function does, what's the reason for calling it? If you meant learning NTFS_VOLUME_DATA_BUFFER by heart, it's definitely not the case. You should know its structure only when using it (and as you've noticed there are some places that you can get it from - including this very post :) )


  • "My understanding was we can unpack if buffer was larger than the output so why doesn't the unpack work?"

    • Your understanding is correct. But win32file.DeviceIoControl seems to sometimes (probably when reaching 1stNULL after 96 bytes) truncate the output buffer when passing a value greater than the expected one (via length argument). When passing a smaller one, it will fail (as expected)


I've also prepared a dummy Python example.



code.py:



#!/usr/bin/env python3

import sys
import struct
import win32file
import win32api
import win32con
import winioctlcon


VOLUME_LETTER = "E"

FILE_READ_ATTRIBUTES = 0x0080
FILE_EXECUTE = 0x0020

vol_data_buf_fmt = "qqqqqLLLLqqqqq" # This is the format that matches NTFS_VOLUME_DATA_BUFFER definition (96 bytes). Note: Instead of each 'q' you could also use 'Ll' as 'LARGE_INTEGER' is an union

BINARY_FORMAT_LIST = [
 vol_data_buf_fmt,
 "QQQQQQQQQQQQQQQQQQQ",
]


def print_formats(): # Dummy func
 print("Formats and lengths:")
 for format in BINARY_FORMAT_LIST:
 print(" :s: :d".format(format, struct.calcsize(format)))


def main():
 #print_formats()
 vol_unc_name = "\\.\:s:".format(VOLUME_LETTER)
 print("volume: ", vol_unc_name)
 access_flags = FILE_READ_ATTRIBUTES | FILE_EXECUTE # Apparently, doesn't work without FILE_EXECUTE
 share_flags = win32con.FILE_SHARE_READ | win32con.FILE_SHARE_WRITE # Doesn't work withou FILE_SHARE_WRITE
 creation_flags = win32con.OPEN_EXISTING
 attributes_flags = win32con.FILE_ATTRIBUTE_NORMAL
 vol_handle = win32file.CreateFile(vol_unc_name, access_flags, share_flags, None, creation_flags, attributes_flags, None)

 buf_len = struct.calcsize(vol_data_buf_fmt)
 for i in [buf_len]:
 print(" Passing a buffer size of: :d".format(i))
 buf = win32file.DeviceIoControl(vol_handle, winioctlcon.FSCTL_GET_NTFS_VOLUME_DATA, None, i)
 print(" DeviceIocontrol returned a :d bytes long :".format(len(buf), type(buf)))
 out = struct.unpack_from(vol_data_buf_fmt, buf)
 print("n NumberSectors: :n TotalClusters: :n BytesPerCluster: :".format(out[1], out[2], out[6]))
 win32api.CloseHandle(vol_handle)


if __name__ == "__main__":
 print("Python :s on :sn".format(sys.version, sys.platform))
 main()


Output:






(py35x64_test) e:WorkDevStackOverflowq053318932>"e:WorkDevVEnvspy35x64_testScriptspython.exe" ./code.py
Python 3.5.4 (v3.5.4:3f56838, Aug 8 2017, 02:17:05) [MSC v.1900 64 bit (AMD64)] on win32

volume: \.E:
 Passing a buffer size of: 96
 DeviceIocontrol returned a 96 bytes long <class 'bytes'>

 NumberSectors: 494374911
 TotalClusters: 61796863
 BytesPerCluster: 4096



Needless to say that multiplying TotalClusters by BytesPerCluster, I get the correct bytes number (as reported by Win) for my E: drive.







share|improve this answer














share|improve this answer



share|improve this answer








edited Mar 22 at 22:21

























answered Nov 17 '18 at 1:30









CristiFatiCristiFati

15.5k72740




15.5k72740












  • Thanks @CristiFati. Actually, with a bit of hit and try and research, I was able to find the resources mentioned in your comment and was thinking of answering my own question if nobody answered it but you have

    – ThatBird
    Nov 19 '18 at 10:32











  • "protect users from themselves" as you said so I knew the risks I was getting into while poking around with these commands

    – ThatBird
    Nov 19 '18 at 10:32











  • "Every attempt simply expresses lack of experience" but attempt adds up to the experience, which in turn helped me to discover these docs

    – ThatBird
    Nov 19 '18 at 10:34











  • I can query through the journal now but I need to build path to parent file, this is where I am stuck currently. What I have found out is there are to ways to get this to work, one is going through the MFT(I don't want that) and the other is opening file with File Reference Number. Can you help me with the second one?

    – ThatBird
    Nov 19 '18 at 10:37











  • I'm afraid that my knowledge on "File Reference Number". Is somewhere close to 0. So without some code samples I can't do anything. But, wouldn't that be a different question (cause the code from this one is related to volume properties rather than volume changes)?

    – CristiFati
    Nov 19 '18 at 13:33


















  • Thanks @CristiFati. Actually, with a bit of hit and try and research, I was able to find the resources mentioned in your comment and was thinking of answering my own question if nobody answered it but you have

    – ThatBird
    Nov 19 '18 at 10:32











  • "protect users from themselves" as you said so I knew the risks I was getting into while poking around with these commands

    – ThatBird
    Nov 19 '18 at 10:32











  • "Every attempt simply expresses lack of experience" but attempt adds up to the experience, which in turn helped me to discover these docs

    – ThatBird
    Nov 19 '18 at 10:34











  • I can query through the journal now but I need to build path to parent file, this is where I am stuck currently. What I have found out is there are to ways to get this to work, one is going through the MFT(I don't want that) and the other is opening file with File Reference Number. Can you help me with the second one?

    – ThatBird
    Nov 19 '18 at 10:37











  • I'm afraid that my knowledge on "File Reference Number". Is somewhere close to 0. So without some code samples I can't do anything. But, wouldn't that be a different question (cause the code from this one is related to volume properties rather than volume changes)?

    – CristiFati
    Nov 19 '18 at 13:33

















Thanks @CristiFati. Actually, with a bit of hit and try and research, I was able to find the resources mentioned in your comment and was thinking of answering my own question if nobody answered it but you have

– ThatBird
Nov 19 '18 at 10:32





Thanks @CristiFati. Actually, with a bit of hit and try and research, I was able to find the resources mentioned in your comment and was thinking of answering my own question if nobody answered it but you have

– ThatBird
Nov 19 '18 at 10:32













"protect users from themselves" as you said so I knew the risks I was getting into while poking around with these commands

– ThatBird
Nov 19 '18 at 10:32





"protect users from themselves" as you said so I knew the risks I was getting into while poking around with these commands

– ThatBird
Nov 19 '18 at 10:32













"Every attempt simply expresses lack of experience" but attempt adds up to the experience, which in turn helped me to discover these docs

– ThatBird
Nov 19 '18 at 10:34





"Every attempt simply expresses lack of experience" but attempt adds up to the experience, which in turn helped me to discover these docs

– ThatBird
Nov 19 '18 at 10:34













I can query through the journal now but I need to build path to parent file, this is where I am stuck currently. What I have found out is there are to ways to get this to work, one is going through the MFT(I don't want that) and the other is opening file with File Reference Number. Can you help me with the second one?

– ThatBird
Nov 19 '18 at 10:37





I can query through the journal now but I need to build path to parent file, this is where I am stuck currently. What I have found out is there are to ways to get this to work, one is going through the MFT(I don't want that) and the other is opening file with File Reference Number. Can you help me with the second one?

– ThatBird
Nov 19 '18 at 10:37













I'm afraid that my knowledge on "File Reference Number". Is somewhere close to 0. So without some code samples I can't do anything. But, wouldn't that be a different question (cause the code from this one is related to volume properties rather than volume changes)?

– CristiFati
Nov 19 '18 at 13:33






I'm afraid that my knowledge on "File Reference Number". Is somewhere close to 0. So without some code samples I can't do anything. But, wouldn't that be a different question (cause the code from this one is related to volume properties rather than volume changes)?

– CristiFati
Nov 19 '18 at 13:33




















draft saved

draft discarded
















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53318932%2fstruct-unpack-on-win32file-deviceiocontrol%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Kamusi Yaliyomo Aina za kamusi | Muundo wa kamusi | Faida za kamusi | Dhima ya picha katika kamusi | Marejeo | Tazama pia | Viungo vya nje | UrambazajiKuhusu kamusiGo-SwahiliWiki-KamusiKamusi ya Kiswahili na Kiingerezakuihariri na kuongeza habari

Image
Pages using ISBN magic linksMbegu za lughaKamusiIsimu nenoKiarabukitabulughaKiswahilialfabetimaanaufafanuzimanenomuhtasarisarufividahizoalfabeti Kamusi Kutoka Wikipedia, kamusi elezo huru Jump to navigation Jump to search Kamusi za Kiswahili Kamusi ya Kiswahili-Kiswahili (kamusi wahidiya) Kamusi ya Kiswahili - Kiingereza (kamusi thania) Kamusi (kutoka neno la Kiarabu قاموس qamus ) ni kitabu ambacho kinaorodhesha maneno ya lugha yaliyokusanywa kutoka kwa watumiaji wa lugha fulani, kwa mfano lugha ya Kiswahili. Maneno hupangwa kwa mtindo wa alfabeti, hutoa maana, asili na ufafanuzi wa utumizi wa maneno na jinsi yanavyotumika au yanavyotamkwa. [1] Yaliyomo 1 Aina za kamusi 2 Muundo wa kamusi 2.1 1. Utangulizi wa kamusi 2.2 2. Matini ya kamusi 2.3 3. Sherehe ya kamusi 3 Faida za kamusi 4 Dhima ya picha katika kamusi 5 Marejeo 6 Tazama pia 7 Viungo vya nje Aina za kamusi | Kuna aina mbalimbali za kamusi ambazo ni: Kamusi wahidiya yaani ya l
Read more

Swift 4 - func physicsWorld not invoked on collision? The Next CEO of Stack OverflowHow to call Objective-C code from Swift#ifdef replacement in the Swift language@selector() in Swift?#pragma mark in Swift?Swift for loop: for index, element in array?dispatch_after - GCD in Swift?Swift Beta performance: sorting arraysSplit a String into an array in Swift?The use of Swift 3 @objc inference in Swift 4 mode is deprecated?How to optimize UITableViewCell, because my UITableView lags

Image
Strange use of "whether ... than ..." in official text Could a dragon use its wings to swim? Car headlights in a world without electricity How to avoid supervisors with prejudiced views? Is the offspring between a demon and a celestial possible? If so what is it called and is it in a book somewhere? Can I board the first leg of the flight without having final country's PR card? subequations: How to continue numbering within subequation? How do you define an element with an ID attribute using LWC? Relevant Part for a Badminton Serve What CSS properties can the br tag have? What are the unusually-enlarged wing sections on this P-38 Lightning? Why did early computer designers eschew integers? Is it a bad idea to plug the other end of ESD strap to wall ground? Magento 1.9 observer on only new product added ( no updated product ) Airplane gently rocking its wings during whole flight It is correct to match light sources with the same color temperat
Read more

Access current req object everywhere in Node.js ExpressWhy are global variables considered bad practice? (node.js)Using req & res across functionsHow do I get the path to the current script with Node.js?What is Node.js' Connect, Express and “middleware”?Node.js w/ express error handling in callbackHow to access the GET parameters after “?” in Express?Modify Node.js req object parametersAccess “app” variable inside of ExpressJS/ConnectJS middleware?Node.js Express app - request objectAngular Http Module considered middleware?Session variables in ExpressJSAdd properties to the req object in expressjs with Typescript

Image
What steps should I take to lawfully visit the United States as a tourist immediately after visiting on a B-1 visa? Would dual wielding daggers be a viable choice for a covert bodyguard? For a hashing function like MD5, how similar can two plaintext strings be and still generate the same hash? Using Newton's shell theorem to accelerate a spaceship Why doesn't sea level show seasonality? What prevents someone from claiming to be the murderer in order to get the real murderer off? Has anyone in space seen or photographed a simple laser pointer from Earth? What does (void *)1 mean Why does the U.S. tolerate foreign influence from Saudi Arabia and Israel on its domestic policies while not tolerating that from China or Russia? Modulus Operandi What's the point of having a RAID 1 configuration over incremental backups to a secondary drive? How to ask for a LinkedIn endorsement? Good resources for solving techniques (Metaheuristics, MILP, CP etc) How woul
Read more