FltGetXXXContext in PsSetCreateProcessNotifyRoutine callback

A FILE_OBJECT is passed during the process create callback and I’d like to lookup the file context of the object. To do that, you need a FLT_INSTANCE which is not passed during the process callback. What is the best way to get an INSTANCE in order to lookup the context?

I haven’t tried it yet but it seems like this combination will work however, I’m wondering if there is a better/more appropriate way.
FltGetFilterFromName → FltGetVolumeFromFileObject → FltGetTop/BottomInstance → FltGetFileContext

I’d save the FltFilter right after you register. Then get the volume as you say and then use FltEnumerateInstances

@rod_widdowson said:
I’d save the FltFilter right after you register. Then get the volume as you say and then use FltEnumerateInstances

Thanks Rod. Didn’t even think about saving the filter on registration. What’s the benefit of using FltEnumInstances vs just using the top or bottom one? Also if you enum the instances which instance should be used for the context call? The first one returned or does it not matter?

Well it looks as though FltEnumInstances does a “lookup by filter”…