Moving the blog

Hi all, I’ve decided to move the blog to a new location and i’ve copied all the existing posts. I should have some new content soon (or so I hope). The new location is:


Context Usage in Minifilters

I’m not sure why but in spite of there being pretty good documentation and even a sample available, the topic of how Contexts work and how filters should use them comes up a lot. There are a couple of rules that govern contexts and pretty much everything follows from the interaction between these rules (this…


Names and file systems filters

Proper usage of names in file system filters and minifilters is a topic that comes up a lot. The reason for this is that sooner or later one has to deal with names and it is a particularly complicated area. In this post I’ll try to address some of the common problems minifilters have with…


Issuing IO in minifilters: Part 2 – Flt vs. Zw

Sorry about the frequency of my posts, i’m been really swamped with the IFS Plugfest preparations. Anyway, let’s get down to business. So now the way the create path works should be clear. The basic idea is that FltMgr has some targeting information (in which it stores the minifilters below which altitude should see the…


Issuing IO in minifilters: Part 1 – FltCreateFile

In this post I’ll try to address a couple of questions that are all related and that I’ve seen asked a lot. This is a rather long topic so I’ll split into a couple of posts. I’ll try to explain both how things work and why they are this way (at least, why I think…


Filter Manager Concepts: Part 7 – IRP_CTRL

One very important structure that everyone writing minifilters very quickly becomes familiar is the FLT_CALLBACK_DATA. This is pretty much the equivalent of an IRP in the minifilter model. The structure is public and is pretty well documented. However, it is in fact just the public part of the picture. Filter manager has an internal structure…


Filter Manager Concepts: Part 6 – STREAM_LIST_CTRL

Now that we’ve discussed contexts in general there is one very important structure to talk about. The STREAM_LIST_CTRL is pretty much filter manager’s context for a stream (it is attached to the FCB or SCB, depending on the file system) and it is used to store stream contexts, streamhandle contexts and file contexts (for file…


Filter Manager Concepts: Part 5 – CONTEXT_NODE

Why does one need contexts ? Well, the IO model in NT is based on passing objects around and the various components that handle these objects need a way to save information about each object (for example the file system might need to ‘remember’ where the file is located on disk). This information is basically…


The deal with LUAFV.SYS

I noticed that a lot of the people that end up on this blog are looking for information on LUAFV and for some reason it seems there isn’t a lot on it. I imagine that people are looking for it for two major reasons. They want to know what it is and what it does…