A powerful feature of FESF is FESF Policy Caching. A Solution's Policy DLL may enable FESF Policy Caching by setting the AccessCache.Enable field of the FE_POLICY_CONFIG structure to TRUE. To ensure good system performance, we strongly recommend all Solutions enable Policy Caching. Windows applications, including system components such as the Windows shell (Explorer.exe), have a strong propensity to open and close files repeatedly. This is why Policy Caching is so critical.
When FESF Policy Caching has been enabled by a Policy DLL, FESF makes an entry in its kernel-mode Policy Cache for the file after it returns from each call to PolGetPolicyNewFile or PolGetPolicyExistingFile. The data stored in the FESF Policy Cache is based on the values passed into and returned by those functions, and includes:
•Accessing process. This is the process that owns the thread indicated in the ThreadId argument.
•Access. This is the value supplied in the Granted Access argument.
•FE_POLICY_RESULT. This is the return value from the Policy DLL.
Note that these cache entries are associated exclusively with a particular file that is being opened. Each subsequent time that same file is opened, FESF consults the FESF Policy Cache for the file. If an entry exists in the cache for the same process and the same type of access, FESF uses the cached FE_POLICY_RESULT instead of calling the Policy DLL. This eliminates the overhead of calling the Policy DLL to determine policy for a file, process, and access type when the Policy DLL has already returned the desired policy (for that file, policy and access type) to FESF. An exception to this behavior is when a thread is "impersonating" (that is using different security information than the process that owns the thread). The FESF Policy Cache is never consulted for files accessed by impersonating threads.
The duration of this caching behavior lasts as long as the file remains open or Windows retains file (data) caching information for the file, whichever is longer. On systems with lots of free memory, caching can persist for a very long time (many hours) after a file has been closed. On systems with significant memory pressure, caching might persist only as long as a thread actively has an open handle to a file.
While the life of the FESF Policy Cache cannot be extended arbitrarily, entries can be selectively removed from the FESF Policy Cache at any time by the Policy DLL. The Policy DLL can remove entries in the FESF Policy Cache for a given file or process by calling the FesfUtil2 function FesfUtil2PurgePolicyCache. This function can also be used to remove all FESF Policy Cache entries for all files for all processes. Refer to the docs for FesfUtil2PurgePolicyCache for specific information.
Finally, it should be noted that if the FESF Policy Service terminates or becomes unresponsive, the FESF Policy Cache is completely purged.