我有一个用于构建应用程序(使用多个不同进程)的 procmon 跟踪,该应用程序在某些时候无法写入文件,因为它正在被另一个进程使用。我看到的第一件事是文件在构建开始时被删除:
3:49:32.9928378 PM foo.exe 11460 QueryOpen SUCCESS CreationTime: 8/26/2016 12:49:00 PM, LastAccessTime: 8/26/2016 12:49:00 PM, LastWriteTime: 8/26/2016 12:49:05 PM, ChangeTime: 8/26/2016 12:49:06 PM, AllocationSize: 57,344, EndOfFile: 56,624, FileAttributes: N
3:49:32.9929337 PM foo.exe 11460 CreateFile SUCCESS Desired Access: Read Attributes, Delete, Disposition: Open, Options: Non-Directory File, Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
3:49:32.9929791 PM foo.exe 11460 QuerySecurityFile SUCCESS Information: 0x20
3:49:32.9930238 PM foo.exe 11460 QueryAttributeTagFile SUCCESS Attributes: N, ReparseTag: 0x0
3:49:32.9930526 PM foo.exe 11460 SetDispositionInformationFile SUCCESS Delete: True
3:49:32.9930955 PM foo.exe 11460 CloseFile SUCCESS
3:49:32.9940971 PM foo.exe 11460 CloseFile SUCCESS
3:49:32.9942480 PM foo.exe 11460 CreateFile SUCCESS Desired Access: Write Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Open Reparse Point, Attributes: n/a, ShareMode: Read, Write, Delete, AllocationSize: n/a, OpenResult: Opened
3:49:32.9943085 PM foo.exe 11460 QuerySecurityFile SUCCESS Information: 0x20
3:49:32.9944066 PM foo.exe 11460 SetBasicInformationFile SUCCESS CreationTime: 0, LastAccessTime: 0, LastWriteTime: 0, ChangeTime: 0, FileAttributes: N
3:49:32.9944770 PM foo.exe 11460 CloseFile SUCCESS
3:49:32.9946268 PM foo.exe 11460 QueryOpen SUCCESS CreationTime: 8/26/2016 3:49:27 PM, LastAccessTime: 8/26/2016 3:49:27 PM, LastWriteTime: 8/26/2016 3:49:32 PM, ChangeTime: 8/26/2016 3:49:33 PM, AllocationSize: 57,344, EndOfFile: 56,624, FileAttributes: N
3:49:32.9947224 PM foo.exe 11460 CreateFile SUCCESS Desired Access: Read Attributes, Synchronize, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: n/a, OpenResult: Opened
3:49:32.9947681 PM foo.exe 11460 QuerySecurityFile SUCCESS Information: 0x20
3:49:32.9948253 PM foo.exe 11460 QueryInformationVolume BUFFER OVERFLOW VolumeCreationTime: 4/19/2016 10:43:10 PM, VolumeSerialNumber: 4299-1E8C, SupportsObjects: True, VolumeLabel: Dat堜
3:49:32.9948475 PM foo.exe 11460 QueryAllInformationFile BUFFER OVERFLOW CreationTime: 8/26/2016 3:49:27 PM, LastAccessTime: 8/26/2016 3:49:27 PM, LastWriteTime: 8/26/2016 3:49:32 PM, ChangeTime: 8/26/2016 3:49:33 PM, FileAttributes: N, AllocationSize: 57,344, EndOfFile: 56,624, NumberOfLinks: 1, DeletePending: False, Directory: False, IndexNumber: 0xe00000021d3d3, EaSize: 0, Access: Read Attributes, Synchronize, Position: 0, Mode: Synchronous IO Non-Alert, AlignmentRequirement: Word
3:49:32.9948678 PM foo.exe 11460 CloseFile SUCCESS
这似乎是成功的。我注意到的下一件事是有两个“CreateFileMapping”调用返回“File Locked With Only reader”。但是,据我所知,这没什么好担心的,因为两次 closefile 似乎都被调用了。有趣的是,在删除之后调用的 QueryAllInformationFile 返回了删除之前的时间作为创建时间。这是否意味着文件没有被正确删除?
3:49:41.3811537 PM bar.exe 11724 CreateFile SUCCESS Desired Access: Generic Read, Disposition: Open, Options: Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, AllocationSize: n/a, OpenResult: Opened
3:49:41.3812155 PM bar.exe 11724 QuerySecurityFile SUCCESS Information: 0x20
3:49:41.3827524 PM bar.exe 11724 QueryNameInformationFile SUCCESS Name: \a\path\to\a\file\thedllinquestion.dll
3:49:41.3827711 PM bar.exe 11724 QueryNameInformationFile SUCCESS Name: \a\path\to\a\file\thedllinquestion.dll
3:49:41.3828506 PM bar.exe 11724 QueryNormalizedNameInformationFile SUCCESS
3:49:41.3829159 PM bar.exe 11724 QueryInformationVolume BUFFER OVERFLOW VolumeCreationTime: 4/19/2016 10:43:10 PM, VolumeSerialNumber: 4299-1E8C, SupportsObjects: True, VolumeLabel: Dat妕
3:49:41.3829281 PM bar.exe 11724 QueryAllInformationFile BUFFER OVERFLOW CreationTime: 8/26/2016 3:49:27 PM, LastAccessTime: 8/26/2016 3:49:27 PM, LastWriteTime: 8/26/2016 3:49:32 PM, ChangeTime: 8/26/2016 3:49:33 PM, FileAttributes: N, AllocationSize: 57,344, EndOfFile: 56,624, NumberOfLinks: 1, DeletePending: False, Directory: False, IndexNumber: 0xe00000021d3d3, EaSize: 0, Access: Generic Read, Position: 0, Mode: Synchronous IO Non-Alert, AlignmentRequirement: Word
3:49:41.3829444 PM bar.exe 11724 CreateFileMapping FILE LOCKED WITH ONLY READERS SyncType: SyncTypeCreateSection, PageProtection:
3:49:41.3829538 PM bar.exe 11724 QueryStandardInformationFile SUCCESS AllocationSize: 57,344, EndOfFile: 56,624, NumberOfLinks: 1, DeletePending: False, Directory: False
3:49:41.3830038 PM bar.exe 11724 CreateFileMapping SUCCESS SyncType: SyncTypeOther
3:49:41.4143299 PM bar.exe 11724 CloseFile SUCCESS
最后共享违规如下。有趣的是,相同的进程打开文件进行读取而不在读/写之前关闭。从理论上讲,您应该能够做到这一点,对吗?
3:49:41.8544568 PM foo.exe 11460 CreateFile SUCCESS Desired Access: Generic Read, Disposition: Open, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: n/a, ShareMode: Read, Delete, AllocationSize: n/a, OpenResult: Opened
3:49:41.8545112 PM foo.exe 11460 QuerySecurityFile SUCCESS Information: 0x20
3:49:41.8545970 PM foo.exe 11460 QueryStandardInformationFile SUCCESS AllocationSize: 57,344, EndOfFile: 56,624, NumberOfLinks: 1, DeletePending: False, Directory: False
3:49:41.8546087 PM foo.exe 11460 QueryBasicInformationFile SUCCESS CreationTime: 8/26/2016 3:49:27 PM, LastAccessTime: 8/26/2016 3:49:27 PM, LastWriteTime: 8/26/2016 3:49:32 PM, ChangeTime: 8/26/2016 3:49:33 PM, FileAttributes: N
3:49:41.8546441 PM foo.exe 11460 QueryStreamInformationFile SUCCESS 0: ::$DATA
3:49:41.8546914 PM foo.exe 11460 QueryBasicInformationFile SUCCESS CreationTime: 8/26/2016 3:49:27 PM, LastAccessTime: 8/26/2016 3:49:27 PM, LastWriteTime: 8/26/2016 3:49:32 PM, ChangeTime: 8/26/2016 3:49:33 PM, FileAttributes: N
3:49:41.8547366 PM foo.exe 11460 QueryEaInformationFile SUCCESS EaSize: 0
3:49:41.8550146 PM foo.exe 11460 CreateFile SHARING VIOLATION Desired Access: Generic Read/Write, Delete, Write DAC, Disposition: OverwriteIf, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: None, AllocationSize: 56,624
3:49:41.8552552 PM foo.exe 11460 CreateFile SHARING VIOLATION Desired Access: Generic Write, Read Data/List Directory, Read Attributes, Delete, Write DAC, Disposition: OverwriteIf, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: None, AllocationSize: 56,624
3:49:41.8554742 PM foo.exe 11460 CreateFile SHARING VIOLATION Desired Access: Generic Write, Read Attributes, Delete, Write DAC, Disposition: OverwriteIf, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: None, AllocationSize: 56,624
3:49:41.8556783 PM foo.exe 11460 CreateFile SHARING VIOLATION Desired Access: Generic Write, Read Data/List Directory, Read Attributes, Delete, Write DAC, Disposition: OverwriteIf, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: 56,624
3:49:41.8558759 PM foo.exe 11460 CreateFile SHARING VIOLATION Desired Access: Generic Write, Read Data/List Directory, Read Attributes, Delete, Write DAC, Disposition: OverwriteIf, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: 56,624
3:49:41.8560577 PM foo.exe 11460 CreateFile SHARING VIOLATION Desired Access: Generic Write, Read Attributes, Delete, Write DAC, Disposition: OverwriteIf, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: 56,624
3:49:41.8562656 PM foo.exe 11460 CreateFile SHARING VIOLATION Desired Access: Generic Write, Read Data/List Directory, Read Attributes, Write DAC, Disposition: OverwriteIf, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: 56,624
3:49:41.8564750 PM foo.exe 11460 CreateFile SHARING VIOLATION Desired Access: Generic Write, Read Data/List Directory, Read Attributes, Write DAC, Disposition: OverwriteIf, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: 56,624
3:49:41.8566442 PM foo.exe 11460 CreateFile SHARING VIOLATION Desired Access: Generic Write, Read Attributes, Write DAC, Disposition: OverwriteIf, Options: Sequential Access, Synchronous IO Non-Alert, Non-Directory File, Attributes: N, ShareMode: Read, Write, AllocationSize: 56,624
我看不到文件打开后没有关闭的任何地方,它应该删除文件以开始,我在构建开始之前验证了文件没有句柄(使用“句柄“ 工具)。
您可以提供的任何指示都会有所帮助,谢谢。