jonny-jhnson · February 3, 2026 17:34
diff --git a/gistfile1.txt b/gistfile1.txt
 kd> !fltkd.filter ffffcc8edb552a30

 FLT_FILTER: ffffcc8edb552a30 "PrjFlt" "189800"
   FLT_OBJECT: ffffcc8edb552a30  [02000000] Filter
      RundownRef               : 0x0000000000000014 (10)
      PointerCount             : 0x00000002 
      PrimaryLink              : [ffffcc8edb550530-ffffcc8edb9b8330] 
   Frame                    : ffffcc8ed638a6e0 "Frame 0" 
   Flags                    : [00000096] FilteringInitiated NameProvider BackedByPagefile FiltersReadWrite
   DriverObject             : ffffcc8ed9687d00 
   FilterLink               : [ffffcc8edb550530-ffffcc8edb9b8330] 
   PreVolumeMount           : 0000000000000000  (null) 
   PostVolumeMount          : 0000000000000000  (null) 
   FilterUnload             : fffff8016d0c80f0  prjflt!PrjfUnload 
   InstanceSetup            : fffff8016d0c6600  prjflt!PrjfInstanceSetup 
   InstanceQueryTeardown    : fffff8016d0c6480  prjflt!PrjfInstanceQueryTeardown 
   InstanceTeardownStart    : fffff8016d0c6e50  prjflt!PrjfInstanceTeardownComplete 
   InstanceTeardownComplete : fffff8016d0c6e50  prjflt!PrjfInstanceTeardownComplete 
   ActiveOpens              : (ffffcc8edb552bf0)  mCount=0 
   Communication Port List  : (ffffcc8edb552c40)  mCount=1 
   Client Port List         : (ffffcc8edb552c90)  mCount=2 
   VerifierExtension        : 0000000000000000 
   Operations               : ffffcc8edb552cf0 
   OldDriverUnload          : 0000000000000000  (null) 
   SupportedContexts        : (ffffcc8edb552b68)
      VolumeContexts           : (ffffcc8edb552b68)
      InstanceContexts         : (ffffcc8edb552b70)
         ALLOCATE_CONTEXT_NODE: ffffcc8edb4dc3b0 "PrjFlt" [02] AllocateDirectly
      FileContexts             : (ffffcc8edb552b78)
         ALLOCATE_CONTEXT_NODE: ffffcc8edb4dc3e0 "PrjFlt" [01] LookasideList (size=368)
      StreamContexts           : (ffffcc8edb552b80)
         ALLOCATE_CONTEXT_NODE: ffffcc8edb4dc560 "PrjFlt" [01] LookasideList (size=48)
      StreamHandleContexts     : (ffffcc8edb552b88)
         ALLOCATE_CONTEXT_NODE: ffffcc8edb4dc6e0 "PrjFlt" [01] LookasideList (size=616)
      TransactionContext       : (ffffcc8edb552b90)
         ALLOCATE_CONTEXT_NODE: ffffcc8edb4dc860 "PrjFlt" [01] LookasideList (size=4)
      (null)                   : (ffffcc8edb552b98)
   InstanceList             : (ffffcc8edb552aa0)
      FLT_INSTANCE: ffffcc8edba16820 "PrjFlt Instance" "189800"

 kd> dx (FLTMGR!_FLT_OPERATION_REGISTRATION *)0xffffcc8edb552cf0
 (FLTMGR!_FLT_OPERATION_REGISTRATION *)0xffffcc8edb552cf0                 : 0xffffcc8edb552cf0 [Type: _FLT_OPERATION_REGISTRATION *]
    [+0x000] MajorFunction    : 0x0 [Type: unsigned char]
    [+0x004] Flags            : 0x0 [Type: unsigned long]
    [+0x008] PreOperation     : 0xfffff8016d0aff50 : prjflt!PrjfPreCreate+0x0 [Type: _FLT_PREOP_CALLBACK_STATUS (__cdecl*)(_FLT_CALLBACK_DATA *,_FLT_RELATED_OBJECTS *,void * *)]
    [+0x010] PostOperation    : 0xfffff8016d0aeec0 : prjflt!PrjfPostCreate+0x0 [Type: _FLT_POSTOP_CALLBACK_STATUS (__cdecl*)(_FLT_CALLBACK_DATA *,_FLT_RELATED_OBJECTS *,void *,unsigned long)]
    [+0x018] Reserved1        : 0x0 [Type: void *]
	kd> !fltkd.filter ffffcc8edb552a30

	FLT_FILTER: ffffcc8edb552a30 "PrjFlt" "189800"
	FLT_OBJECT: ffffcc8edb552a30 [02000000] Filter
	RundownRef : 0x0000000000000014 (10)
	PointerCount : 0x00000002
	PrimaryLink : [ffffcc8edb550530-ffffcc8edb9b8330]
	Frame : ffffcc8ed638a6e0 "Frame 0"
	Flags : [00000096] FilteringInitiated NameProvider BackedByPagefile FiltersReadWrite
	DriverObject : ffffcc8ed9687d00
	FilterLink : [ffffcc8edb550530-ffffcc8edb9b8330]
	PreVolumeMount : 0000000000000000 (null)
	PostVolumeMount : 0000000000000000 (null)
	FilterUnload : fffff8016d0c80f0 prjflt!PrjfUnload
	InstanceSetup : fffff8016d0c6600 prjflt!PrjfInstanceSetup
	InstanceQueryTeardown : fffff8016d0c6480 prjflt!PrjfInstanceQueryTeardown
	InstanceTeardownStart : fffff8016d0c6e50 prjflt!PrjfInstanceTeardownComplete
	InstanceTeardownComplete : fffff8016d0c6e50 prjflt!PrjfInstanceTeardownComplete
	ActiveOpens : (ffffcc8edb552bf0) mCount=0
	Communication Port List : (ffffcc8edb552c40) mCount=1
	Client Port List : (ffffcc8edb552c90) mCount=2
	VerifierExtension : 0000000000000000
	Operations : ffffcc8edb552cf0
	OldDriverUnload : 0000000000000000 (null)
	SupportedContexts : (ffffcc8edb552b68)
	VolumeContexts : (ffffcc8edb552b68)
	InstanceContexts : (ffffcc8edb552b70)
	ALLOCATE_CONTEXT_NODE: ffffcc8edb4dc3b0 "PrjFlt" [02] AllocateDirectly
	FileContexts : (ffffcc8edb552b78)
	ALLOCATE_CONTEXT_NODE: ffffcc8edb4dc3e0 "PrjFlt" [01] LookasideList (size=368)
	StreamContexts : (ffffcc8edb552b80)
	ALLOCATE_CONTEXT_NODE: ffffcc8edb4dc560 "PrjFlt" [01] LookasideList (size=48)
	StreamHandleContexts : (ffffcc8edb552b88)
	ALLOCATE_CONTEXT_NODE: ffffcc8edb4dc6e0 "PrjFlt" [01] LookasideList (size=616)
	TransactionContext : (ffffcc8edb552b90)
	ALLOCATE_CONTEXT_NODE: ffffcc8edb4dc860 "PrjFlt" [01] LookasideList (size=4)
	(null) : (ffffcc8edb552b98)
	InstanceList : (ffffcc8edb552aa0)
	FLT_INSTANCE: ffffcc8edba16820 "PrjFlt Instance" "189800"

	kd> dx (FLTMGR!_FLT_OPERATION_REGISTRATION *)0xffffcc8edb552cf0
	(FLTMGR!_FLT_OPERATION_REGISTRATION )0xffffcc8edb552cf0 : 0xffffcc8edb552cf0 [Type: _FLT_OPERATION_REGISTRATION ]
	[+0x000] MajorFunction : 0x0 [Type: unsigned char]
	[+0x004] Flags : 0x0 [Type: unsigned long]
	[+0x008] PreOperation : 0xfffff8016d0aff50 : prjflt!PrjfPreCreate+0x0 [Type: _FLT_PREOP_CALLBACK_STATUS (__cdecl)(_FLT_CALLBACK_DATA ,_FLT_RELATED_OBJECTS ,void *)]
	[+0x010] PostOperation : 0xfffff8016d0aeec0 : prjflt!PrjfPostCreate+0x0 [Type: _FLT_POSTOP_CALLBACK_STATUS (__cdecl)(_FLT_CALLBACK_DATA ,_FLT_RELATED_OBJECTS ,void ,unsigned long)]
	[+0x018] Reserved1 : 0x0 [Type: void *]
No results found