Note that the RefCount is set to 2 which means that there is a second open on this device, which as it turns out- is from ReadyBoost user-mode service (emdmgmt.dll hosted in svchost.exe) which enables using removable flash drives as an encrypted disk cache to speed up random disk reads from traditional hard disk drives. fileinfo.sys watches following IRP major codes

  • IRP_MJ_CREATE
  • IRP_MJ_CLEANUP
  • IRP_MJ_CLOSE
  • IRP_MJ_READ
  • IRP_MJ_WRITE
  • IRP_MJ_SET_INFORMATION
  • IRP_MJ_FILE_SYSTEM_CONTROL
  • IRP_MJ_FLUSH_BUFFERS
  • IRP_MJ_DIRECTORY_CONTROL
  • IRP_MJ_QUERY_INFORMATION

Now that we know fileinfo is a SuperFetch and ReadyBoost component, it makes sense to keep the filter as low as possible since file read offsets are relevant not the file content.

How does kernel let fileinfo.sys do its pre-fetching2 ? When fileinfo.sys starts, it calls PfFileInfoNotify to pass function pointers (FIPfInterfaceOpen, FIPfInterfaceClose) that get cached in kernel for later use. When fileinfo.sys unloads it calls PfFileInfoNotify again to unregister its function pointers from kernel. The kernel uses these functions to transfer control directly to fileinfo.sys in SuperFetch related operations (for example from PfProcessCreateNotification3 and from PfSetSuperfetchInformation).

fileinfo‘s kernel interface may initiate I/O (via FltCreateFileEx2) which after entering from top of the file system stack may reenter fileinfo again. fileinfo therefore checks to see if the thread is prefetching by calling PsIsCurrentThreadPrefetching4 and does not do its usual processing if I/O is related to pre-fetch processing and not regular I/O.

1WinFS stands for Windows Future Storage is a relational database based file system that did not ship in Vista and will not ship in Windows 7 but was apparently still being worked on in post-Vista days.

2which is what it used to be called in Windows XP

3which is a create process callback that gets called when any app is launched

4The pre-fetching bit is turned on in the thread by kernel before calling into fileinfo. Kernel does this by a call to PsSetCurrentThreadPrefetching.

Tagged with →  
Share →

One Response to what is fileinfo.sys ?

  1. Alex Ionescu says:

    FYI, the Memory Management chapter in Windows Internals 5th Edition further describes the behavior, interface and functionality of the driver.

    — Alex

Leave a Reply

Your email address will not be published. Required fields are marked *

*

Looking for something?

Use the form below to search the site:


Still not finding what you're looking for? Drop us a note so we can take care of it!

Visit our friends!

A few highly recommended friends...

Set your Twitter account name in your settings to use the TwitterBar Section.