Wdfilter.sys is most likely the on-access scanning component of Windows Defender ensuring that files are scanned for viruses before being opened.
Windows 8.1 runs Windows Defender by default as an anti-virus solution. Let’s take a look at some of the minifilters on a standard Windows 8.1 system and what they do: Why are minifilters better? Check this out: (v=vs.85).aspx Examples If you have legacy filters installed contact the manufacturer to see if a newer minifilter is available, or if they at least have a transition to the minifilter model on their roadmap. The best explanation of this concept is available here: (v=vs.85).aspx
The filter manager has to work around them by creating multiple frames, points at which the filter manager attaches to a file system’s I/O stack to load minifilters around legacy drivers so that the correct altitudes are maintained. Unfortunately legacy filter drivers don’t slot neatly into place based on their altitude. You may have legacy filter drivers installed that don’t use the minifilter model. Up until now, I’ve called everything a minifilter driver, but that isn’t necessarily accurate. Frames and legacy driversįrom your elevated command prompt, run fltmc Running fltmc from an elevated command prompt shows the total number of instances for each minifilter driver. If the value of supported features is equal to 3 then the minifilter supports both read and write Offloaded Data Transfers (ODX). One thing to note, the column SprtFtrs is short for Supported Features. That makes sense when you consider that npsvctrig is the named pipe service trigger provider. For example, npsvctrig is only mapped to \Device\NamedPipe. In this view you can see the mapping of minifilter drivers to endpoints. From your elevated command prompt run fltmc instances Not all minifilter drivers are going to be interested in all these different endpoints. Take a look at this short article for more information: You may have used a NamedPipe to enable remote kernel debugging in WinDbg between two VMs. I’ve put these two together deliberately since they have their similarities. More information can be found here: (v=vs.85).aspx \\server\share\file.ext) to the UNC provider for resolution. Acronyms within acronyms… Acronymception? MUP channels requests made in UNC format (e.g. The MUP is the Multiple UNC (Universal Naming Convention) Provider. Look at the Dos Name column and you’ll see if any of these volumes have been assigned a drive letter. Let’s take a look at some of the entries you probably have… From your elevated command prompt run fltmc volumes
To properly understand instances, we need to first understand volumes in the context of the filter manager. Encryption minifilters will be assigned an altitude between 140,000 and 149,999.Ī list of altitude ranges can be found here: (v=vs.85).aspxĪltitudes are processed in descending order for writers (so anti-virus is handled before encryption), and ascending order for reads (so encryption is handled before anti-virus). The assigned altitude will sit within a range of altitudes that are specific to the function of the minifilter.įor example, Anti-Virus minifilters will be assigned an altitude between 320,000 and 329,999. To ensure this kind of event doesn’t happen, minifilters are assigned a specific altitude by Microsoft. AltitudeĪssuming an attempt to read data from a file system, it wouldn’t be much good if an anti-virus minifilter tried to read the contents of an IRP before an encryption minifilter had the opportunity to decrypt it. Altitude is especially important, so let’s start there.
We’ll explain instances, altitude, and frames as we go. You should see something similar to this… Start an elevated command prompt and run fltmc.exe *Technically not just IRPs, also Fast I/O and FSFilter operations. Along the way we’re going to touch on User Account Control (UAC), WIM Boot, SuperFetch, ReadyBoost, and Windows Defender.įile System Minifilter Drivers are drivers that attach to the filter manager in the I/O stack and for the most part either observe or modify I/O Request Packets (IRPs)* that they’re interested in.
In this post we’re going to gain an understanding of what File System Minifilter Drivers are and what they do.
How does your anti-virus software know you’re trying to open a file that it needs to scan? How does your encryption software transparently encrypt and decrypt your files? How do file quotas get enforced? In each of these cases the answer probably relates to a specific File System Minifilter Driver.