Filter Manager Concepts: Part 6 – STREAM_LIST_CTRL

Now that we’ve discussed contexts in general there is one very important structure to talk about. The STREAM_LIST_CTRL is pretty much filter manager’s context for a stream (it is attached to the FCB or SCB, depending on the file system) and it is used to store stream contexts, streamhandle contexts and file contexts (for file systems where a file can only have one stream; otherwise there is a different structure dedicated to those contexts) for minifilters as well as the name caches for the stream. The “!fltkd.streamlist” command displays a STREAM_LIST_CTRL and it can take either a STREAM_LIST_CTRL or a FILE_OBJECT address.

Because filter manager can be attached multiple times to a stack it also has multiple contexts, so it is possible that a FILE_OBJECT has more than one STREAM_LIST_CTRL associated with it.

0: kd> !streamlist 0xfffffa80`039aff20 f
STREAM_LIST_CTRL: fffffa8005ffad30  [00000111] LinkedToStream File HasHardlinks
   Stream ContextCtrl       : (fffffa8005ffad38)
   VolumeLink               : [fffffa800563f580-fffffa8003ee2260]
   UseCount                 : 2
   ContextLock              : (fffffa8005ffad78)
   StreamContexts           : (fffffa8005ffad80)  Count=1
      CONTEXT_LIST_CTRL: fffffa8005ffad80
         CONTEXT_NODE: fffff8a00265a5b0  [0008] StreamContext PagedPool
            ALLOCATE_CONTEXT_NODE: fffffa80044ec6d0 "FileInfo" [01] LookasideList (size=80)
            AttachedObject           : fffffa8005ffad30
            UseCount                 : 2
            TREE_NODE: fffff8a00265a5c8 (k1=fffffa80054cbbb0, k2=0000000000000000) [00010001] InTree
            UserData                 : fffff8a00265a610
   StreamHandleContexts     : (fffffa8005ffad88)  Count=0
      CONTEXT_LIST_CTRL: fffffa8005ffad88
         ** Empty tree **
   NameCacheLock            : (fffffa8005ffad90)
   AllNameContextsTemporary : 0x00000000
   LastRenameCompleted      : 0x0000000000000000
   NormalizedNameCache      : (fffffa8005ffada0)  Count=1
      NAME_CACHE_LIST_CTRL: fffffa8005ffada0  [00000001] Normalized
         NAME_CACHE_NODE: fffff8a001f0b470
            UseCount                 : 2
            CreationTime             : 0x00000000003ae3e1
            TREE_NODE: fffff8a001f0b488 (k1=fffffa80039aff20, k2=0000000000000000) [00018000] InTree
            FLT_FILE_NAME_INFORMATION: fffff8a001f0b4c0  [00000001] Normalized
               NamesParsed              : [00000000]
               Name                     : "\Device\HarddiskVolume1\Program Files\Common Files\System\Ole DB\sqloledb.rll"
   OpenedNameCache          : (fffffa8005ffadc0)  Count=0
      NAME_CACHE_LIST_CTRL: fffffa8005ffadc0  [00000002] Opened
         ** Empty tree **
   ShortNameCache           : (fffffa8005ffadb0)  Count=0

This shows you for example that the there is only one context on this FILE_OBJECT and it’s actually a StreamContext from FileInfo. Also, there is a normalized name.

This sort of information can be really useful when trying to determine if your minifilter has a context on a certain stream or FILE_OBJECT or to find out more information about a leaked context or name (such as what stream or FILE_OBJECT was it for).

The “!fltkd.streamlist” command is pretty much what I use this any time i have a FILE_OBJECT.