NtQueryInformationFile(FileBothDirectoryInformation) intermittently reports non-zero size (EndOfFile/AllocationSize) for certain subdirectories

Question

I have a simple utility that recursively scans a directory (using NtQueryInformationFile(FileBothDirectoryInformation)) and calculates various stats. It normally gets executed against various SMB shares (hosted on Win12 servers).

In particular it calculates total-bytes (using FILE_BOTH_DIR_INFORMATION::EndOfFile field).

Normally all subdirs are reported as having size 0, but if I rerun my utility within 5 seconds (since previous run) -- some subdirs are reported to have size 4096. If I count to 5 before rerunning utility -- everything is ok. This leads to unstable results and unwanted alarm.

All affected dirs seemingly have same thing in common -- each one:

either contains Thumbs.db file
or is a parent of directory containing Thumbs.db file
- ... but not always -- sometimes parent dir size is stable 0

Questions:

Why does this happen and why 5 seconds?
How to avoid this? Should I always treat subdirs as "using zero bytes"?

P.S. Same happens with FILE_BOTH_DIR_INFORMATION::AllocationSize field.

score 0 · Answer 1 · answered Jun 07 '21 at 04:40

0

I'm thinking the SMB client is doing some local caching of the directories and using the "default data stream" to store information relating to the caching and that is what you are seeing.

I'd think that you should simply ignore allocation sizes on directories.

answered Jun 07 '21 at 04:40

MJZ

1,074
6
12

What is "default data stream"? Alternate stream named "::$DATA"? – C.M. Jun 07 '21 at 18:48
Yes, it is. The allocation size field is determined by the size of the unnamed/default data stream. – MJZ Jun 08 '21 at 18:33
No, I don't think so... I ran a test: every time enumeration produces a non-zero-size subdir -- I open that subdir and enumerate it's alt streams via `NtQueryInformationFile(FileStreamInformation)`. Every time it produces zero alt streams. I even tried to open `::$DATA` file (maybe `::$DATA` stream is not returned for dirs) -- it fails complaining about trying to open a dir as a file (i.e. it looks like `::$DATA` suffix is simply discarded somewhere. – C.M. Jul 07 '21 at 23:09

NtQueryInformationFile(FileBothDirectoryInformation) intermittently reports non-zero size (EndOfFile/AllocationSize) for certain subdirectories

1 Answers1