Is it possible to identify overlapped file-I/O operations? RRS feed

  • Question

  • I'm trying to track down a problem where a 3rd-party-DLL (let's call it A.dll) reports error-code 000003E5 (ERROR_IO_PENDING) in its log-file and fails loading in a specific use-case. However, according to the vendors support, A.dll does NOT use overlapped file-I/O at all. So I assume they are reporting an error-code that has been set by a file-I/O-operation in a dependent DLL which is loaded when I'm calling LoadLibraryEx for A.dll.

    Everything works fine if the application which is loading the DLL is started by the interactive user. The problem only occurs when the application is configured to run as a service (the service is running with the same user-credentials and this user - while doing these tests - has admin-rights). On the other hand, when I'm replacing A.dll by a different DLL (B.dll), loading the DLL is successful in both usage scenarios. 

    So I'm trying to track this down using ProcessMonitor. When starting the application, I can see the file-operations when A.dll and dependent DLL-files are accessed and loaded. But it seems that ProcessMonitor does not indicate whether a file is accessed by calling CreateFile with FILE_FLAG_OVERLAPPED instead of FILE_ATTRIBUTE_NORMAL.

    Does ProcessMonitor provide this information somewhere (optionally)? Does it provide information for ReadFile/WriteFile, whether this functions are called with a pointer to a (valid and unique) OVERLAPPED-structure?

    Wednesday, May 29, 2019 1:22 PM