第一部分：

                  LfsUpdateLfcbFromRestart( ThisLfcb,
FileSize,
DiskRestartArea,
FirstRestar

1: kd> p
Ntfs!LfsRestartLogFile+0x317:
f71fc8dd e820e5ffff      call    Ntfs!LfsUpdateLfcbFromRestart (f71fae02)
1: kd> t
Ntfs!LfsUpdateLfcbFromRestart:
f71fae02 55              push    ebp
1: kd> kc
#
00 Ntfs!LfsUpdateLfcbFromRestart
01 Ntfs!LfsRestartLogFile
02 Ntfs!LfsOpenLogFile
03 Ntfs!NtfsStartLogFile
04 Ntfs!NtfsMountVolume
05 Ntfs!NtfsCommonFileSystemControl
06 Ntfs!NtfsFspDispatch
07 nt!ExpWorkerThread
08 nt!PspSystemThreadStartup
09 nt!KiThreadStartup
1: kd> dv
Lfcb = 0xe1364008
FileSize = 0n67108864
RestartArea = 0xc1140030
RestartOffset = 0x30
LsnFileOffset = 0n67108864
Wrapped = 0x00 ''
LsnFinalOffset = 0n38505786882

第二部分：

    Lfcb->SeqNumber = LfsLsnToSeqNumber( Lfcb, Lfcb->LastFlushedLsn );

#define LfsLsnToSeqNumber(LFCB,LSN)                                             \
/*xxShr*/Int64ShrlMod32( ((ULONGLONG)(LSN).QuadPart), (LFCB)->FileDataBits )

逻辑右移：数字向右移动，左边补0。Windows中支持的函数为：Int64ShrlMod32

1: kd> dt _LFS_RESTART_AREA  0xc1140030
Ntfs!_LFS_RESTART_AREA
+0x000 CurrentLsn       : _LARGE_INTEGER 0x8117464
+0x008 LogClients       : 1
+0x00a ClientFreeList   : 0xffff
+0x00c ClientInUseList  : 0
+0x00e Flags            : 0
+0x010 SeqNumberBits    : 0x28
+0x014 RestartAreaLength : 0xe0
+0x016 ClientArrayOffset : 0x40
+0x018 FileSize         : 0n67108864
+0x020 LastLsnDataLength : 0x68
+0x024 RecordHeaderLength : 0x30
+0x026 LogPageDataOffset : 0x40
+0x028 RestartOpenLogCount : 0x85e1225b
+0x02c LastFailedFlushStatus : 0
+0x030 LastFailedFlushOffset : 0n0
+0x038 LastFailedFlushLsn : _LARGE_INTEGER 0x0
+0x040 LogClientArray   : [1] _LFS_CLIENT_RECORD

第三部分：

    Lfcb->SeqNumberBits = RestartArea->SeqNumberBits;
Lfcb->FileDataBits = (sizeof( LSN ) * 8) - Lfcb->SeqNumberBits;

   +0x010 SeqNumberBits    : 0x28

1: kd> dt _LARGE_INTEGER -v
hal!_LARGE_INTEGER
union _LARGE_INTEGER, 4 elements, 0x8 bytes
+0x000 LowPart          : Uint4B
+0x004 HighPart         : Int4B
+0x000 u                : struct __unnamed, 2 elements, 0x8 bytes
+0x000 QuadPart         : Int8B

0x40-0x28=0x18

第四部分：

} else {
Lfcb->FileSize = min( FileSize, RestartArea->FileSize );
}

[+0x018] FileSize         : 67108864 [Type: __int64]

第五部分：

    //
//  We get the sequence number bits from the restart area and compute the
//  file data bits.
//

    Lfcb->SeqNumberBits = RestartArea->SeqNumberBits;
Lfcb->FileDataBits = (sizeof( LSN ) * 8) - Lfcb->SeqNumberBits;

[+0x080] SeqNumberBits    : 0x28 [Type: unsigned long]
[+0x084] FileDataBits     : 0x18 [Type: unsigned long]

Lfcb->SeqNumber = LfsLsnToSeqNumber( Lfcb, Lfcb->LastFlushedLsn );    =0x8

[+0x0c8] LastFlushedLsn   : {135361636} [Type: _LARGE_INTEGER]

1: kd> ?0n135361636
Evaluate expression: 135361636 = 08117464

#define LfsLsnToSeqNumber(LFCB,LSN)                                             \
/*xxShr*/Int64ShrlMod32( ((ULONGLONG)(LSN).QuadPart), (LFCB)->FileDataBits )

逻辑右移：数字向右移动，左边补0。Windows中支持的函数为：Int64ShrlMod32

    Lfcb->SeqNumber = LfsLsnToSeqNumber( Lfcb, Lfcb->LastFlushedLsn );
Lfcb->SeqNumberForWrap = Lfcb->SeqNumber + 1;

[+0x070] SeqNumber        : 8 [Type: __int64]
[+0x078] SeqNumberForWrap : 9 [Type: __int64]

第六部分：

1: kd> dv
Lfcb = 0x00000018
FileSize = 0n135361636
RestartArea = 0xc1140030
RestartOffset = 0x30

//
//  Compute the restart page values from the restart offset.
//

    Lfcb->RestartDataOffset = RestartOffset;
Lfcb->RestartDataSize = (ULONG)Lfcb->LogPageSize - RestartOffset;

    [+0x04c] RestartDataOffset : 0x30 [Type: unsigned long]
[+0x050] LogPageDataOffset : 0 [Type: __int64]
[+0x058] RestartDataSize  : 0xfd0 [Type: unsigned long]

if (FlagOn( Lfcb->Flags, LFCB_PACK_LOG )) {

        Lfcb->RecordHeaderLength = RestartArea->RecordHeaderLength;

        Lfcb->ClientArrayOffset = RestartArea->ClientArrayOffset;

        Lfcb->RestartAreaSize = RestartArea->RestartAreaLength;

       (ULONG)Lfcb->LogPageDataOffset = RestartArea->LogPageDataOffset;
Lfcb->LogPageDataSize = Lfcb->LogPageSize - Lfcb->LogPageDataOffset;

[+0x024] RecordHeaderLength : 0x30 [Type: unsigned short]

    [+0x016] ClientArrayOffset : 0x40 [Type: unsigned short]

    [+0x014] RestartAreaLength : 0xe0 [Type: unsigned short]

    [+0x026] LogPageDataOffset : 0x40 [Type: unsigned short]

第七部分：

LfsAllocateLbcb( Lfcb, &Lfcb->PrevTail );
Lfcb->PrevTail->FileOffset = Lfcb->FirstLogPage - Lfcb->LogPageSize;

        LfsAllocateLbcb( Lfcb, &Lfcb->ActiveTail );
Lfcb->ActiveTail->FileOffset = Lfcb->PrevTail->FileOffset - Lfcb->LogPageSize;

1: kd> dt _LFCB 0xe1364008
Ntfs!_LFCB
+0x000 NodeTypeCode     : 0n2051
+0x002 NodeByteSize     : 0n352
+0x004 LfcbLinks        : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x00c LchLinks         : _LIST_ENTRY [ 0xe1364014 - 0xe1364014 ]
+0x014 FileObject       : 0x89811f90 _FILE_OBJECT
+0x018 FileSize         : 0n67108864
+0x020 LogPageSize      : 0n4096
+0x028 LogPageMask      : 0xfff
+0x02c LogPageInverseMask : 0n-4096
+0x030 LogPageShift     : 0xc
+0x038 FirstLogPage     : 0n16384

1: kd> ?0n16384
Evaluate expression: 16384 = 00004000

   +0x098 ActiveTail       : 0xe13417e8 _LBCB
+0x09c PrevTail         : 0xe1278640 _LBCB

1: kd> dx -id 0,0,899a2278 -r1 ((Ntfs!_LBCB *)0xe1278640)
((Ntfs!_LBCB *)0xe1278640)                 : 0xe1278640 [Type: _LBCB *]
[+0x000] NodeTypeCode     : 2050 [Type: short]
[+0x002] NodeByteSize     : 96 [Type: short]
[+0x004] WorkqueLinks     [Type: _LIST_ENTRY]
[+0x00c] ActiveLinks      [Type: _LIST_ENTRY]
[+0x018] FileOffset       : 12288 [Type: __int64]            0x3000
[+0x020] Length           : 0 [Type: __int64]
[+0x028] SeqNumber        : 0 [Type: __int64]
[+0x030] BufferOffset     : 0 [Type: __int64]
[+0x038] PageHeader       : 0x0 [Type: void *]
[+0x03c] LogPageBcb       : 0x0 [Type: void *]
[+0x040] LastLsn          : {0} [Type: _LARGE_INTEGER]
[+0x048] LastEndLsn       : {0} [Type: _LARGE_INTEGER]
[+0x050] Flags            : 0x0 [Type: unsigned long]
[+0x054] LbcbFlags        : 0x0 [Type: unsigned long]
[+0x058] ResourceThread   : 0x0 [Type: unsigned long]

1: kd> dx -id 0,0,899a2278 -r1 ((Ntfs!_LBCB *)0xe13417e8)
((Ntfs!_LBCB *)0xe13417e8)                 : 0xe13417e8 [Type: _LBCB *]
[+0x000] NodeTypeCode     : 2050 [Type: short]
[+0x002] NodeByteSize     : 96 [Type: short]
[+0x004] WorkqueLinks     [Type: _LIST_ENTRY]
[+0x00c] ActiveLinks      [Type: _LIST_ENTRY]
[+0x018] FileOffset       : 8192 [Type: __int64]            0x2000
[+0x020] Length           : 0 [Type: __int64]
[+0x028] SeqNumber        : 0 [Type: __int64]
[+0x030] BufferOffset     : 0 [Type: __int64]
[+0x038] PageHeader       : 0x0 [Type: void *]
[+0x03c] LogPageBcb       : 0x0 [Type: void *]
[+0x040] LastLsn          : {0} [Type: _LARGE_INTEGER]
[+0x048] LastEndLsn       : {0} [Type: _LARGE_INTEGER]
[+0x050] Flags            : 0x0 [Type: unsigned long]
[+0x054] LbcbFlags        : 0x0 [Type: unsigned long]
[+0x058] ResourceThread   : 0x0 [Type: unsigned long]

第八部分：

        (ULONG)Lfcb->ReservedLogPageSize = (ULONG)Lfcb->LogPageDataSize - Lfcb->RecordHeaderLength;

   +0x060 LogPageDataSize  : 0n4032

1: kd> ?0n4032
Evaluate expression: 4032 = 00000fc0

[+0x100] ReservedLogPageSize : 3984 [Type: __int64]    00000f90

#define LfsLsnToFileOffset(LFCB,LSN)                                            \
/*xxShr*/( ((ULONGLONG)/*xxShl*/( (LSN).QuadPart << (LFCB)->SeqNumberBits )) >> ((LFCB)->SeqNumberBits - 3) )

第九部分：

    LsnFileOffset = LfsLsnToFileOffset( Lfcb, Lfcb->LastFlushedLsn );

[+0x0c8] LastFlushedLsn   : {135361636} [Type: _LARGE_INTEGER]

1: kd> ?0n135361636
Evaluate expression: 135361636 = 08117464

    [+0x080] SeqNumberBits    : 0x28 [Type: unsigned long]
[+0x084] FileDataBits     : 0x18 [Type: unsigned long]

0x8117464

1000 0001 0001 0111 0100 0110 0100

1000 0001 0001 0111 0100 0110 0100 000

100    0 000    1 000    1 011    1 010    0 011    0 010    0 000

1: kd> ?0x117464*8
Evaluate expression: 9151264 = 008ba320

1: kd> p
Ntfs!LfsUpdateLfcbFromRestart+0x1f9:
f71faffb e8c0b8f4ff      call    Ntfs!aullshr (f71468c0)
1: kd> p
Ntfs!LfsUpdateLfcbFromRestart+0x1fe:
f71fb000 8b4e38          mov     ecx,dword ptr [esi+38h]
1: kd> r
eax=008ba320

1: kd> dv
Lfcb = 0x00000018
FileSize = 0n9151264
RestartArea = 0xc1140030
RestartOffset = 0x30
LsnFileOffset = 0n9151264
Wrapped = 0x00 ''
LsnFinalOffset = 0n38654705673
1: kd> ?0n9151264
Evaluate expression: 9151264 = 008ba320

第十部分：

    } else {

        LONGLONG LsnFinalOffset;
BOOLEAN Wrapped;

        ULONG DataLength;
ULONG RemainingPageBytes;

        DataLength = RestartArea->LastLsnDataLength;

        //
//  Find the end of this log record.
//

        LfsLsnFinalOffset( Lfcb,
Lfcb->LastFlushedLsn,
DataLength,
&LsnFinalOffset );

    [+0x020] LastLsnDataLength : 0x68 [Type: unsigned long]

1: kd> p
Ntfs!LfsUpdateLfcbFromRestart+0x23b:
f71fb03d e8183a0000      call    Ntfs!LfsLsnFinalOffset (f71fea5a)
1: kd> t
Ntfs!LfsLsnFinalOffset:
f71fea5a 55              push    ebp
1: kd> kc
#
00 Ntfs!LfsLsnFinalOffset
01 Ntfs!LfsUpdateLfcbFromRestart
02 Ntfs!LfsRestartLogFile
03 Ntfs!LfsOpenLogFile
04 Ntfs!NtfsStartLogFile
05 Ntfs!NtfsMountVolume
06 Ntfs!NtfsCommonFileSystemControl
07 Ntfs!NtfsFspDispatch
08 nt!ExpWorkerThread
09 nt!PspSystemThreadStartup
0a nt!KiThreadStartup
1: kd> dv
Lfcb = 0xe1364008
Lsn = {135361636}
DataLength = 0x68
FinalOffset = 0xf78d2934
RemainingPageBytes = 0xf78d2934
Wrapped = 0xe1 ''