This WEB page comes from the busTRACE 8.0 User's Manual. (Table of Contents)
If you have enabled Extended IRP Capture, busTRACE will capture and decode for you important information about the I/O Request Packet (IRP) in the Extended IRP Capture tab. busTRACE takes a snapshot of key data structures as they go down the I/O stack and back up the I/O stack (the I/O stack concept was discussed in the Raw Data section).
In the screenshot above, you can see the IRP stack contents for our captured IRP as the IRP goes back up the I/O stack. We can see that the IRP first went through ntfs.sys, then volmgr.sys, then partmgr.sys, then disk.sys, then our busTRACE capture driver bustrce8.sys, and lastly to the Intel iastor.sys port driver.
At the top of the window, a toolbar is available with various options.
Windows uses IRPs (I/O Request Packets) to initiate an I/O request. The Windows I/O manager gives each driver in a chain of layered drivers an I/O stack location for every IRP that it sets up. Each I/O stack location consists of an IO_STACK_LOCATION structure. Please refer to the Windows Driver Kit (WDK) for details on this structure.
With Extended IRP Capture enabled, busTRACE takes a snapshot of the I/O stack values as the IRP goes down the I/O stack as well as when it goes back up the I/O stack. To help you understand the values we show, we'll walk through a sample disk I/O capture. The IRP that we have captured has setup four I/O stack locations (for the four drivers that make up the chain of layered drivers). Not all of these drivers may use their stack location. They may not be interested in the IRP, not use their stack location, and simply pass the IRP on down the I/O stack. In this sample screenshot below, we have captured an IOCTL going to a RAID hard drive that is attached to our system:
In looking at the screenshot above, we notice that busTRACE has captured and is showing four I/O stack locations. Only two of the locations are currently in use. The I/O stack is displayed in the order it is stored in memory. This is important as the top of the I/O stack is actually at the bottom of our display. If you prefer to display the topmost I/O stack location at the top of our display, you can click on the Flip I/O Stack toolbar button.
The first stack location is displayed as "Stack Location #4 of 4 (\Driver\disk)". This tells us that the topmost stack location is in use by a \Driver\disk device object. We provide four pieces of information for each cached I/O stack location:
In the above sample, the IRP was traveling down the I/O stack and no completion routines were set yet. Now let's look at the same I/O stack as the IRP is going back up the I/O stack:
Now we see that three of the available four I/O stack locations were used. Stack Location #2 of 4 is a \Driver\HpCISSs2 device object created by the hpcisss2.sys miniport driver. Also note the CompletionRoutine of bustrce8.sys. That is our busTRACE kernel driver. This shows us that when the HpCISSs2 miniport driver completes the IRP, our bustrce8.sys kernel driver will be notified of the completion.
There are times where busTRACE has captured the I/O stack but you want to learn more about the device driver that created the device object, or is handling the completion callback routine. We can expand out the hpcisss2.sys DeviceObject (as one example) to learn more about the driver the created the device object:
Now we can clearly see that this driver was created by Hewlett-Packard and is their Smart Array SAS/SATA Controller Storport Driver. The version is 126.96.36.199 Build 1. Attached to our system, is an HP Smart Array P400 RAID Controller.
By looking at the I/O stack, we can see which drivers have inserted themselves into the chain of layered drivers that processed the IRP.