7

I'm currently using FindFirstFile, FindNextFile API to recursively iterate through directories for searching files based on a given criteria. I noticed that "dir /s" command gives better performance than my program. I'm tried checking out the events in process monitor and it looks like cmd.exe/dir command is directly querying the disk device driver. Is there any way I can achieve some thing similar with DeviceIOControl() ?. I'm very new to device drivers though not new to programming. Attaching procmon output for reference:

alt text

Regards,

ivymike
  • 1,511
  • 2
  • 20
  • 27
  • There is some caching going on in DIR /S – Robert Harvey Aug 30 '10 at 19:19
  • It's probably true (were you able to deduce it based on the screen shot attached ?) because I searched for the same "*.mp3" a couple of times. But it was fast even the first time. Also just to be sure I tried several random searches of files I haven't accessed for a while. It seems to be fast regard less. – ivymike Aug 30 '10 at 19:28
  • Also, Is there any hidden API called QueryDirectory() that is not exposed through standard libraries ?. I know ReadFile() is standard but wasn't able to find QueryDirectory() any where. – ivymike Aug 30 '10 at 19:31

5 Answers5

3

Use FindFirstFile and FindNextFile. That's the API, using DeviceIOControl directly is either a mess or not possible (don't know exactly).

Have you tried FindFirstFileEx and it's FIND_FIRST_EX_LARGE_FETCH flag and FindExInfoBasic info level?

Michael
  • 8,920
  • 3
  • 38
  • 56
2

You can call ZwQueryDirectoryFile directly. Going further down to the driver level would require sending a bunch of IRPs and would probably be an overkill.

Eugene Mayevski 'Callback
  • 45,135
  • 8
  • 71
  • 121
  • 1
    It's NtQueryDirectoryFile in User-Mode, and you really shouldn't use these low-level-nt-api functions ... – Christopher Aug 30 '10 at 20:18
  • :)) That's the same (under different names). From MSDN: NtQueryDirectoryFile and ZwQueryDirectoryFile are two versions of the same Windows Native System Services routine. For more information about this routine, see ZwQueryDirectoryFile. So it makes sense to start reading docs from the link I provided. One click less, you know ... – Eugene Mayevski 'Callback Aug 30 '10 at 20:39
  • Mayevski 'EldoS: Is it possible to call Kernel mode API from user mode programs ? I mean aren't the ones starting with Zwxxx supposed to be used only by drivers ?(I'm very new to driver programming). – ivymike Aug 30 '10 at 20:57
  • As Christopher correctly mentioned, you would need to use another name of the same function, namely NtQueryDirectoryFile. But this is the same function. – Eugene Mayevski 'Callback Aug 30 '10 at 21:10
2

"dir /s" is using FindFirst/Next. It doesn't do any special magic to enumerate the files.

QueryDirectory appears to be how Procmon exposes what FindFirst/Next does to get its data from the file system.

jrtipton
  • 2,449
  • 1
  • 15
  • 9
1

http://ntfs-search.sourceforge.net/

It works well. And faster.
It opens a volume, and parses directly.

But it only works on NTFS.

Benjamin
  • 10,085
  • 19
  • 80
  • 130
0

Profile your app, your bottleneck is likely to be elswhere. Some of these options are like taking out a shotgun to shoot a fly...

-scott

snoone
  • 5,409
  • 18
  • 19