Physical Device 512B reads and writes
I have seen them before, but I thought that I'd take another quick look to help confirm Ao1's 512B sightings.
Earlier today I used the hIOmon "Physical Device Extended Metrics" support to help further determine, moreover, which specific files were incurring the "512 byte" data transfer lengths down at the physical device level within the OS I/O stack.
Both a Windows XP 32-bit and a Windows 7 64-bit system were used for this quick look. No specific applications were run on the XP system (just observed I/O operation activity for about 10 minutes or so). Same with the Win 7 system (that is, no particular applications run; simply observed I/O operation activity during the system services startup and the subsequent period in which the system was basically idle with no applications explicitly run).
For Windows XP, the following physical device (DR0) I/O operations were observed for these particular files:
- C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb .log - 6 writes (all 512B); minimum read data transfer length was 32KiB
- C:\WINDOWS\system32\config\software.LOG - 512B, 16896B, 4096B, 4096B, and 4096B to successive LBAs were written
- C:\Documents and Settings\UserMe\ntuser.dat.LOG - this included 512B writes
- C:\$Mft - 512B writes on some occasions; please note that this is a file-system metadata file
And for Windows 7, the following physical device (DR0) I/O operations were observed for these particular files:
- C:\WINDOWS\system32\config\SOFTWARE - 512B written at various times
- C:\Users\UserMe\NTUSER.DAT - similar to that noted above for XP; please note that I could simply open a DOS command prompt window so as to generate 512B writes to the physical device associated with this file
- C:\WINDOWS\serviceProfiles\LocalService\AppData\Lo cal\lastalive0.dat - single 512B writes
- C:\WINDOWS\serviceProfiles\LocalService\AppData\Lo cal\lastalive1.dat - same as immediately above
(Please note that the file size for both of the "lastalivex.dat" files is 2048B; a single 512B write occurred alternately for each file every 60 seconds repeatedly)
- 512B reads for various other files during the system services startup.
Overall, it should be noted that relatively few 512 byte data transfer lengths occurred (whether read or write) when considered within the context of the total of all the I/O operations performed to the physical device. But, as always, YMMV. :)
Also, the list of files mentioned above is not meant to be complete/exhaustive - rather it's simply the result of a quick look using hIOmon.