FLTMC.exe – Windows CMD Command

Manage MiniFilter drivers. Load a Filter driver, Unload a Filter driver, List filter information, List all instances or the instances associated with a Filter or VolumeList all volumes (including the network redirectors), Attach or Detach a filter from a Volume.

FLTMC requires an Elevated command prompt (either CMD or PowerShell)

File System Minifilter Drivers

A file system filter driver (Minifilter) is an optional driver that adds value to or modifies the behavior of a file system.

These filter drivers process all filesystem activity including background processes. Typical uses are encryption software transparently encrypting new files. Enforcing file quotas and most commonly anti-virus software scanning file activity.

A malicious rootkit infection may obfuscate its presence by installing a minifilter driver which intercepts and filters calls between other (legitimate) drivers and the system. It is therefore good practice to document the known minidrivers installed on your key systems.

The FLTMC command allows the option to display existing filters and delete malicious ones.

Attaching a filter to a Volume

The instanceName is optional if an altitude is provided If no altitude is provided, the necessary keys must already exist in the registry to describe the altitude for the given name.

The altitude is optional if an instance name is provided. If specified, this new instance is placed at this explicit altitude. If a name is specified as well, the new instance will be given the name specified.

If the attachment is successful, an Instance Name will be displayed to identify the instance created by this attachment.

Detaching a filter from a Volume

The filterName is the name for the Filter that is used by the driver to register and to load the Filter using this command line.

The instanceName is the identifier returned by the attach command.
If no instance name is given, the default instance for the Volume specified will be removed.

Altitude

Minifilters are assigned a specific altitude by Microsoft. This will sit within a range that is specific to the function of the minifilter.
e.g. Anti-Virus minifilters are assigned an altitude between 320,000 and 329,999.
and encryption minifilters are assigned an altitude between 140,000 and 149,999.

For file Writes, Altitudes are processed in descending order.
For file Reads, Altitudes are processed in ascending order.

So when writing anti-virus is handled before encryption, but when reading decryption is handled before anti-virus.

Legacy filter drivers do not use the minifilter model, this means they don’t slot into place based on their altitude. For interoperability with legacy filter drivers, the filter manager can attach filter device objects to a file system I/O stack in more than one location [example]. However, you should still consider replacing legacy filters with minifilters.

Offloading Reads and/or Writes on NTFS drives

Starting with Windows 8, a filter may specify offload capability.
FLTMC instances will display the Supported Features (SprtFtrs)
1 = FSCTL_OFFLOAD_READ
2 = FSCTL_OFFLOAD_WRITE
So 3 = Offload Read + Write are supported.

Common minifilters (\System32\Drivers)

WdFilter.sys – Windows Defender
storqosflt.sys – Storage QoS Filter Driver
luafv.sys – UAC File Virtualization
npsvctrig.sys – Named Pipe Service Trigger Provider
FileCrypt.sys – Windows sandboxing and encryption
FileInfo.sys – FileInfo Filter Driver (SuperFetch / ReadyBoost)
wcifs.sys – File System Filter
Wof.sys – Windows Image File Boot

You may also like...

1 Response

  1. Ernestina Worek says:

    Sweet internet site, super style and design, rattling clean and apply friendly.

Leave a Reply

Your email address will not be published. Required fields are marked *