| Technical |
Each KLOG block represents a page in the Kernel Update Log, When changes are made to the database, the VMDB and KLOG structures record what is happening. New VBLKs being added, and old VBLKs being removed are given a Transaction ID which is stored in the Log.
Each KLOG block is 512 bytes long, a sector can contain more than one KLOG block (e.g. 4Kn).
| Offset | Size | Description |
|---|---|---|
| 0x00 | 4 | KLOGMagic Number |
| 0x04 | 8 | Unknown Transaction ID (a) |
| 0x0C | 4 | Sequence Number (b) |
| 0x10 | 4 | Number of Pages (i.e. KLOG Blocks) |
| 0x14 | 4 | Page Index |
| 0x18 | 24 | LOG Entry 0 (c) |
| 0x30 | 24 | LOG Entry 1 |
| 0x48 | 24 | LOG Entry 2 |
| 0x60 | 24 | ... |
| 0x00 | 1 | Status (See below) |
| 0x01 | 8 | Committed Transaction ID |
| 0x09 | 8 | Pending Transaction ID |
| 0x11 | 4 | Recovery Sequence Number |
| 0x15 | 3 | Zeros (padding to 4-byte boundary) |
| Value | Description |
|---|---|
| 0x00 | Entry does not exist |
| 0x01 | detach |
| 0x02 | dirty |
| 0x03 | commit |
| 0x04 | logdetach |
| 0x05 | APP_DIRTY |
(a) Updates occasionally, gets the value of the latest PendingTransactionID, all the KLOG blocks have the same value here.
(b) The sequence number is log-wide (not per page), however, when updating multiple pages at once, they can share the same sequence number.
(c) The first page stores the latest commit LOG entry at the top of the page, old entries are appended to the end.
(d) To get the page entries, simply read all entries until an entry with a status of 0x00 is found