I like knowing what does what on the system at a binary level. Windows is getting bigger and bigger with every release, so it is becoming increasingly difficult to keep track of all the things that Microsoft is building into Windows. I have learnt a lot over the years by asking a simple question like what does this dll/exe/sys actually implement on the system ? The answer to such questions invariably leads to discovering new features that you never thought were there in the first place. Knowing how various pieces are put together in Windows, not only forms a basis for product designs but also helps one understand system state when analyzing a dump, hang or troubleshooting a performance issue. This post is about a driver fileinfo.sys that is new to Vista onwards (Server 2008 and Windows 7).
Some of you folks – especially file system filter developers, may have noticed this driver loaded in memory or seen it lying at %SystemRoot%\System32\Drivers. Some of you may have encountered I/O from this driver in your filter. This is a Microsoft supplied mini-filter driver that is enabled and loaded by default on Vista. Here is how it looks like when I issue fltmc command on my Vista machine.
FileInfo has an altitude of 45000 that puts it in the middle of the FSFilter Bottom group which has an altitude range of 40000-49999. Other than the WinFS filter1 altitude allocation at 41000 and filters in FSFilter System group (which is empty), this is practically the lowest of all registered and shipping mini-filters. Therefore fileinfo.sys will most likely see almost all I/O initiated by third party and Microsoft filters in addition to regular file I/O.
The file description in the fileinfo.sys version header is set to FileInfo Filter Driver but the description column for fileinfo.sys in the altitude allocation document (linked above) says Superfetch – which is a Vista feature to preload frequently used applications into memory to improve application startup times. The service description for fileinfo says it collects information about files in memory to be consumed by other system services. It comes as no surprise then that, SuperFetch service (sysmain.dll hosted in svchost.exe) opens a handle to fileinfo.sys‘s control device \FileSystem\FileInfo and communicates with it via an undocumented IOCTL based interface. Here is how the fileinfo device and driver objects look like in WinDbg
- 1 2