File System API Reference
The Windows Kernel File System (NTFS, FAT, etc.) APIs provide the core mechanisms for applications and drivers to interact with the underlying file system structures. This section details the functions, structures, and concepts essential for file system operations within the Windows kernel.
Core Concepts
Understanding the following concepts is crucial for effective use of the file system APIs:
- File Objects: Represents an open file, directory, or device.
- IRPs (I/O Request Packets): The primary mechanism for passing I/O operations between the operating system and device drivers.
- FSRTL (File System Runtime Library): A set of helper routines for file system drivers.
- Object Manager: Manages kernel objects, including file objects.
- Cache Manager: Optimizes file I/O by caching file data in memory.
Key API Functions
Here are some of the most frequently used API functions for file system operations:
| Function Name | Description | Parameters | Return Value |
|---|---|---|---|
ZwCreateFile |
Creates a new file or opens an existing one. | PUNICODE_STRING FileNamePHANDLE FileHandleACCESS_MASK DesiredAccessPOBJECT_ATTRIBUTES ObjectAttributesPIO_STATUS_BLOCK IoStatusBlockPLARGE_INTEGER AllocationSizeULONG FileAttributesULONG ShareAccessULONG CreateDispositionULONG CreateOptionsPVOID EaBufferULONG EaLength |
NTSTATUS |
ZwReadFile |
Reads data from a file. | HANDLE FileHandlePVOID BufferULONG LengthPLARGE_INTEGER ByteOffsetPULONG Key |
NTSTATUS |
ZwWriteFile |
Writes data to a file. | HANDLE FileHandlePVOID BufferULONG LengthPLARGE_INTEGER ByteOffsetPULONG Key |
NTSTATUS |
ZwQueryInformationFile |
Retrieves information about a file. | HANDLE FileHandlePIO_STATUS_BLOCK IoStatusBlockPVOID FileInformationULONG LengthFILE_INFORMATION_CLASS FileInformationClass |
NTSTATUS |
ZwClose |
Closes a handle to an object. | HANDLE Handle |
NTSTATUS |
IoCreateFile |
Creates or opens a file object. (Driver specific) | PDEVICE_OBJECT DeviceObjectPIRP IrpPUNICODE_STRING FileNameACCESS_MASK DesiredAccessULONG FileAttributesULONG ShareAccessULONG CreateDispositionULONG CreateOptions |
NTSTATUS |
File System Structures
Common structures used in file system operations:
FILE_BASIC_INFORMATION: Basic file attributes (creation time, modification time, etc.).FILE_STANDARD_INFORMATION: Standard file information (allocation size, end of file).FILE_DIRECTORY_INFORMATION: Information about entries in a directory.OBJECT_ATTRIBUTES: Used to specify object attributes during creation or opening.IO_STATUS_BLOCK: Used to return I/O status information.
Note on Driver Development
When developing file system filter drivers or mini-filter drivers, you will extensively use IRPs and the FSRTL library. The Zw* (Native API) functions are typically used by user-mode applications and kernel-mode components that directly interact with the executive, while drivers often work with IRPs directly or through higher-level driver framework APIs.