Finding Windows Socket Kernel (WSK) Clients

WSK clients are kernel mode drivers that use socket APIs. WSK is implemented in the kernel mode driver AFD.sys. AFD.sys maintains a linked list of registered WSK clients in the global variable afd!AfdWskClientListHead. This document describes how to walk the list to find out which WSK Clients are installed on a system.

Each of these structures maintain a pointer to the notify function at the 5th pointer sized value in the structure. The pointer to the notify function is used to find the name of the module.

To display the entries in this list, each one of which represents one WSK client driver, use the following command :
0: kd> r $t0 = afd!AfdWskClientListHead ; .for( r $t1 = poi(@$t0) ;  (@$t1 != @$t0) ; r $t1 = poi(@$t1) ) { dps @$t1+5*@$ptrsize L1}
fffffa80`040b9738  fffff880`015de348 rasl2tp!WskClientNotify+0x48
fffffa80`04396ee8  fffff880`00c69448 raspptp!WskClientNotify+0x48
fffffa80`048e1188  fffff880`06cfd300 HTTP!UxWskClientDispatch
fffffa80`0488c1f8  fffff880`06ddc130 mrxsmb!SmbWskClientDispatch
fffffa80`0516d948  fffff880`074e9470 srvnet!SrvNetWskClientDispatch