Logging information output either to the screen and/or to a file (as specified by the user commands) is the same. Different information is logged for for I/O operations along the Irp path versus I/O operations along the Fast I/O path.
The only difference between screen and file output is that fields are tab-delimited when writing to file to make the data easier to analyze. The data written to the screen has been compacted to make it easier to read. You still want your Command Window to be extra wide.
If the memory limit is hit when logging I/O operations, a message saying that the system is out of memory will appear in the log. You can see how many I/O operations were not logged by looking at the sequence numbers of the log records once the memory pressure has been relieved.
These fields appear from left to right, across the screen.
| I | Designates that this is an I/O operation along the Irp path. |
|---|---|
| Sequence Number | The sequence number for this operation. |
| Originating Time | The time this I/O operation began. |
| Completion Time | The time this I/O operation ended. |
| Processes Id and Thread Id | The process and thread id for the thread that originated this I/O operation.These values are shown in the format processId.threadId. |
| IRP Major Code | The IRP major code for this operation. |
| IRP Minor Code | The IRP minor code for this operation, if there is one. |
| Interpretation of flags set | Four columns with either a letter or a DASH (-) to designate different flags being set.
|
| FileObject | The pointer value representing the File Object for this operation. |
| Return Status | The numeric value for the return status for this operation (look in ntstatus.h to see the description for the return value). |
| Name | If available, the name of the file. |
These fields appear from left to right, across the screen.
| F | Designates that this is an I/O operation along the IRP path. |
|---|---|
| Sequence Number | The sequence number for this operation. |
| Originating Time | The time this I/O operation began. |
| Completion Time | The time this I/O operation ended. |
| Processes Id and Thread Id | The process and thread id for the thread that originated this I/O operation. These values are shown in the format processId.threadId. |
| Fast I/O Type Code | The type of Fast I/O operation. |
| Wait | If available, "T" if this Fast I/O operation was called with the Wait parameter set to TRUE, and "F" if the wait parameter was set to FALSE. |
| Length | If available, the number of bytes in the operation. |
| File Offset | If available, the offset into the file for this operation. |
| FileObject | If available, the pointer value representing the File Object for this operation. |
| Return Status | The numeric value for the return status for this operation (look in ntstatus.h to see the description for the return value). |
| Name | If available, the name of the file. |