FLTMC.exe – Windows CMD Command


Notice: A non well formed numeric value encountered in /home/future4tech/public_html/wp-content/plugins/crayon-syntax-highlighter/crayon_formatter.class.php on line 118

Notice: A non well formed numeric value encountered in /home/future4tech/public_html/wp-content/plugins/crayon-syntax-highlighter/crayon_formatter.class.php on line 119

Notice: A non well formed numeric value encountered in /home/future4tech/public_html/wp-content/plugins/crayon-syntax-highlighter/crayon_formatter.class.php on line 118

Notice: A non well formed numeric value encountered in /home/future4tech/public_html/wp-content/plugins/crayon-syntax-highlighter/crayon_formatter.class.php on line 119

Manage MiniFilter drivers. Load a Filter driver, Unload a Filter driver, List filter information, List all instances or the instances associated with a Filter or VolumeList all volumes (including the network redirectors), Attach or Detach a filter from a Volume.

FLTMC requires an Elevated command prompt (either CMD or PowerShell)

File System Minifilter Drivers

A file system filter driver (Minifilter) is an optional driver that adds value to or modifies the behavior of a file system.

These filter drivers process all filesystem activity including background processes. Typical uses are encryption software transparently encrypting new files. Enforcing file quotas and most commonly anti-virus software scanning file activity.

A malicious rootkit infection may obfuscate its presence by installing a minifilter driver which intercepts and filters calls between other (legitimate) drivers and the system. It is therefore good practice to document the known minidrivers installed on your key systems.

The FLTMC command allows the option to display existing filters and delete malicious ones.

Attaching a filter to a Volume

The instanceName is optional if an altitude is provided If no altitude is provided, the necessary keys must already exist in the registry to describe the altitude for the given name.

The altitude is optional if an instance name is provided. If specified, this new instance is placed at this explicit altitude. If a name is specified as well, the new instance will be given the name specified.

If the attachment is successful, an Instance Name will be displayed to identify the instance created by this attachment.

Detaching a filter from a Volume

The filterName is the name for the Filter that is used by the driver to register and to load the Filter using this command line.

The instanceName is the identifier returned by the attach command.
If no instance name is given, the default instance for the Volume specified will be removed.

Altitude

Minifilters are assigned a specific altitude by Microsoft. This will sit within a range that is specific to the function of the minifilter.
e.g. Anti-Virus minifilters are assigned an altitude between 320,000 and 329,999.
and encryption minifilters are assigned an altitude between 140,000 and 149,999.

For file Writes, Altitudes are processed in descending order.
For file Reads, Altitudes are processed in ascending order.

So when writing anti-virus is handled before encryption, but when reading decryption is handled before anti-virus.

Legacy filter drivers do not use the minifilter model, this means they don’t slot into place based on their altitude. For interoperability with legacy filter drivers, the filter manager can attach filter device objects to a file system I/O stack in more than one location [example]. However, you should still consider replacing legacy filters with minifilters.

Offloading Reads and/or Writes on NTFS drives

Starting with Windows 8, a filter may specify offload capability.
FLTMC instances will display the Supported Features (SprtFtrs)
1 = FSCTL_OFFLOAD_READ
2 = FSCTL_OFFLOAD_WRITE
So 3 = Offload Read + Write are supported.

Common minifilters (\System32\Drivers)

WdFilter.sys – Windows Defender
storqosflt.sys – Storage QoS Filter Driver
luafv.sys – UAC File Virtualization
npsvctrig.sys – Named Pipe Service Trigger Provider
FileCrypt.sys – Windows sandboxing and encryption
FileInfo.sys – FileInfo Filter Driver (SuperFetch / ReadyBoost)
wcifs.sys – File System Filter
Wof.sys – Windows Image File Boot

You may also like...

4 Responses

  1. graliontorile says:

    Have you ever considered about adding a little bit more than just your articles? I mean, what you say is important and all. But imagine if you added some great images or videos to give your posts more, “pop”! Your content is excellent but with images and videos, this blog could undeniably be one of the greatest in its field. Great blog!

  2. Ramon says:

    I read this paragraph fully concerning the comparison of newest and preceding technologies, it’s awesome article.

  3. Markus says:

    We are a bunch of volunteers and opening a brand new scheme in our community.

    Your website provided us with valuable info to
    work on. You’ve performed an impressive activity and our whole
    community shall be grateful to you.

  4. Ernestina Worek says:

    Sweet internet site, super style and design, rattling clean and apply friendly.

Leave a Reply

Your email address will not be published. Required fields are marked *