Note that the RefCount is set to 2 which means that there is a second open on this device, which as it turns out- is from ReadyBoost user-mode service (emdmgmt.dll hosted in svchost.exe) which enables using removable flash drives as an encrypted disk cache to speed up random disk reads from traditional hard disk drives. fileinfo.sys watches following IRP major codes
Now that we know fileinfo is a SuperFetch and ReadyBoost component, it makes sense to keep the filter as low as possible since file read offsets are relevant not the file content.
How does kernel let fileinfo.sys do its pre-fetching2 ? When fileinfo.sys starts, it calls PfFileInfoNotify to pass function pointers (FIPfInterfaceOpen, FIPfInterfaceClose) that get cached in kernel for later use. When fileinfo.sys unloads it calls PfFileInfoNotify again to unregister its function pointers from kernel. The kernel uses these functions to transfer control directly to fileinfo.sys in SuperFetch related operations (for example from PfProcessCreateNotification3 and from PfSetSuperfetchInformation).
fileinfo‘s kernel interface may initiate I/O (via FltCreateFileEx2) which after entering from top of the file system stack may reenter fileinfo again. fileinfo therefore checks to see if the thread is prefetching by calling PsIsCurrentThreadPrefetching4 and does not do its usual processing if I/O is related to pre-fetch processing and not regular I/O.
1WinFS stands for Windows Future Storage is a relational database based file system that did not ship in Vista and will not ship in Windows 7 but was apparently still being worked on in post-Vista days.
2which is what it used to be called in Windows XP
3which is a create process callback that gets called when any app is launched
4The pre-fetching bit is turned on in the thread by kernel before calling into fileinfo. Kernel does this by a call to PsSetCurrentThreadPrefetching.
- 1 2